Hardened trueos


#1

Hi, I state that I used Trueos and I was well, unfortunately the only thing that I do not like is that there is no hardening, it is true you use the Libressl, nothing more, I believe that already an implementation like ASLR (can be used in FreeBSD and haardened BSD) would be appreciated, so as to have a fast, robust and secure system.
What do you think?


#2

TrueOS is just FreeBSD “under-the-hood”, so if FreeBSD has ASLR available/enabled then we get it by default as well (Note that TrueOS follows the “-Current” branch of FreeBSD, so we don’t need to wait for things to get backported to any of the “-Stable” branches either).

A cursory search makes it seem like ASLR support has not been committed to FreeBSD itself yet (still in review?), but I am not sure of the current status of those patches.


#3

Just to add a little more to @beanpole135 has said: I believe that the folks over at hardenedbsd.org (Shawn and Oliver) have been pushing or trying to push some of their changes upstream to FreeBSD proper. I can’t say how successful they’ve been, but I know they are active on the FreeBSD mailing lists, I’ve seen one or two discussions head towards the bike shed. I think that what TrueOS is doing is the correct path given the focus on the desktop. Let any hardening get into upstream and then pull it down. Security issues (CVEs) get fixed pretty quickly in FreeBSD, so TrueOS shouldn’t be too far behind. You also have to keep in mind “exposure”: is a threat real (not just theoretical), is there a reported expoloit, what is the attack vector? For a threat that requires someone to be physically sitting at a console already with root access, well, that would be real, but wouldn’t get me all riled up. Something that can gain root access by me simply visiting a web page and an autorun ad gains root access, that’s different.


#4

Thanks for the replies, I am a
user of gentoo hardened, yes, you are right the problem is upstream on
FreeBSD, most distros use AppArmor (for Ubuntu and openSUSE), SELinux
(fedora etc) and all slowly are introducing hardening, even after the
last facts of WikiLeaks, who would expect Hal to be an attack vector? Of
the security modules that can be MAC, or simplely modules ASLR etc Help
to avoid upstream different types of attacks, I do not understand why
it does not introduce these modules already tested by time in hardened
BSD (which I tried but is inusable at the desktop level, even boot the
server x has become difficult). If I could honestly use OpenBSD, the
only thing that keeps me on gentoo hardened is the fact that Trueos
(which for the rest is fine) does not give too much importance (this
because of FreeBSD) to security


#5

Just for some clarity, there are two things here that people generally conflate.
ASR and ASLR. The HBSD site has a breakdown between the two: https://hardenedbsd.org/content/freebsd-and-hardenedbsd-feature-comparisons

Generally in most cases for a home user ASR is sufficient, which is why FreeBSD has not pulled in the ASLR mechanisms that HBSD has developed. HBSD takes a far more paranoid approach towards security than FreeBSD, sort of in the vein of how OpenBSD operates.

If you are in a situation where you specifically need the higher focus on security, you can compile the TrueOS tools into HardenedBSD, but you will have to do the heavy lifting yourself. It’s not that difficult, but it’ll take some time to compile/configure various things here and there. You could do the same on OpenBSD, but it’d require quite a bit more effort since it’s not the same OS as FreeBSD.


#6

Sorry, I don’t understand this statement.
FreeBSD is a well know ‘server’ OS, not much of a home user desktop OS.
I can understand why, if FreeBSD had ALSR, trueOS didn’t want to have that. But by saying freebsd doesn’t have it because ASR is sufficient for a home user, that doesn’t make much sense to me.

I completely understand vague 1990s/2000s terms like server OS and desktop are not much applicable anymore, as FreeBSD can run both - just as you and your wonderful team have shown with TrueOS.


#7

The ‘home’ term was a bad choice. Yes FreeBSD is a server OS, but it was never designed with the same focus on Security as OpenBSD for example, which defaults to better security even if it makes things more difficult for the user. As a result FBSD will always be a bit more insecure, even if by a small amount… that amount still exists.

HBSD is an attempt to lean more towards that security first mentality while staying true to FBSD roots. For most server applications ASR is good enough. But in situations where you need to put a server in a hostile theater… HBSD would fair better when facing multiple APTs. For 99.9% of the use cases… what HBSD brings to the table is not needed. HBSD is trying to target the 0.1% where it does.