HardenedBSD March 2024 Status Report

What a busy month it has been! And not just for HardenedBSD, but for the rest of the security and IT industries as we work through the xz backdoor (CVE-2024-3094).

In src, the hbsdcontrol utility, and the library implementing the core logic (libhbsdcontrol) were rewritten from the ground up. While the implementation is now feature complete, there is still a bit of work to be done. Chiefly, rewriting the manual pages. After the documentation is updated, I plan to also integrate libucl support, to support JSON output and perhaps also support applying rules specified by a configuration file.

In ports, www/firefox was fixed and the minimum llvm version number was bumped for devel/boost.

Updates were applied across the entire infrastructure. A new build of hbsdfw (a HardenedBSD-basd fork of OPNsense) was deployed. This build has some issues, so I would recommend others not to deploy it, though it works fine enough for us to keep this current build deployed.

Here's what to look for in April:

  1. Continued work on {,lib}hbsdcontrol.
  2. I'm hoping to study more the dance between the CSU, libc, libthr, and the RTLD.
  3. More work on libhijack, perhaps a new shim library that gets injected to help aid further process injection work.

And, lastly:

$ fetch -q -o - https://api.github.com/repos/HardenedBSD/HardenedBSD | jq -r .created_at

Happy birthday, HardenedBSD! May the next decade be as impactful as the previous.