HardenedBSD December 2023 Status Report

Happy new year! In December, the focus was on finishing the move to our new home. Updates were applied across the entire infrastructure.

In src, we reverted commit 8cf35a2cbe0270666845a5f2634cfc50c90696f1, which had originally set the default umask to 027. This is a bit too strict to work in the real world as a default for HardenedBSD, so we chose to revert back to 022.

In ports, textproc/jq was updated to 1.7.1. CFI and SafeStack were enabled for textproc/jq. ports-mgmt/poudriere-hbsd was updated to 3.4.

The secadm project was brought up-to-date to account for recent VFS-related changes in FreeBSD. The ports entry was updated accordingly.

While not an official HardenedBSD project, libhijack has given inspiration to new hardening techniques. libhijack is a post-exploitation tool that can be used to inject arbitrary code and hook dynamically-loaded functions. It's a tool that I created with origins back to the early 2000's. libhijack can now inject shared objects over the ptrace boundary anonymously. For those curious, libhijack can be found here: https://github.com/SoldierX/libhijack