New stable versions: HardenedBSD-stable 10-STABLE v40.3 and v40.4 and 11-CURRENT v40.2

HardenedBSD-10-STABLE-v40.4 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
---------------------------------------
[hardenedbsd] HBSD: fix MAP32_BIT mode mmap when allowed

HardenedBSD-10-STABLE-v40.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
---------------------------------------
[hardenedbsd] HBSD: add WITHOUT_HBSD_UPDATE src.conf knob to disable hbsd-build's installation
[hardenedbsd] HBSD: fix build on i386
[hardenedbsd] Revert "HBSD: Default jemalloc's lg_chunk to 16 from 21."
[freebsd] FreeBSD 10.3-BETA2
[freebsd] EFI fixes
[freebsd] Adjust initialization of random(9) so it is usable earlier.
[hardenedbsd] lot of new hardenedbsd related man page
[freebsd] OpenSSH 7.1p2
[hardenedbsd] HBSD: Update updater root certificate

HardenedBSD-11-CURRENT-v40.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
------------------------------------------
[hardenedbsd] HBSD: add WITHOUT_HBSD_UPDATE src.conf knob to disable hbsd-build's installation
[hardenedbsd] HBSD: fix build on i386
[hardenedbsd] Revert "HBSD: Default jemalloc's lg_chunk to 16 from 21."
[freebsd] EFI fixes
[freebsd] Adjust initialization of random(9) so it is usable earlier.
[hardenedbsd] lot of new hardenedbsd related man page
[freebsd] OpenSSH 7.1p2
[hardenedbsd] HBSD: Update updater root certificate
[freebsd] Update em(4) to 7.6.1; update igb(4) to 2.5.3. (skylake support)
[freebsd] hyperv support cleanup / rewrite
[freebsd] ZFS + UEFI support

New stable versions: HardenedBSD-stable 10-STABLE and 11-CURRENT v40.1

HardenedBSD-10-STABLE-v40.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
---------------------------------------
[hardenedbsd] HBSD: Don't check for ZFS KLD when non-root.
[hardenedbsd] HBSD: Harden KLD-related syscalls
[hardenedbsd] HBSD: Add /proc to the hbsd-update's skipped files list.
[hardenedbsd/freebsd] HBSD: ktrace: tidy up ktrstruct
[freebsd] Merge OpenSSL 1.0.1r.
[freebsd] Add EFI ZFS boot support

New stable versions: HardenedBSD-stable 10-STABLE and 11-CURRENT v40

HardenedBSD-10-STABLE-v40 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
-------------------------------------
[freebsd] Implement AT_SECURE properly. FreeBSD-SA-16:10.linux (HardenedBSD not affected by default install)
[freebsd] ntpd update FreeBSD-SA-16:09.ntp (already fixed in 10-STABLE v39.2)
[hardenedbsd] HBSD: Default jemalloc's lg_chunk to 16 from 21.
[freebsd] continued UEFI loader rewrite

New Member - CTurt

We've added a new member to the HardenedBSD team! CTurt will be working with us to research, exploit, and produce patches for kernel-level vulnerabilities. We'll be working on getting these kernel security enhancements upstreamed to FreeBSD after the fixes have been deemed stable in HardenedBSD first.

New development versions.

What's new:
* changed internal data types
* added new KPI to query the current HardenedBSD hardening version (in this case it returns 40)
* the default stack protection from RWX has changed to RW on amd64 architecture, this change is a noop when you have enabled NOEXEC in your kernel config (this is the default)
* fixed etcupdate integration to hbsd-update

Introducing HardenedBSD's New Binary Updater

One feature our users have been asking us ever since we officially launched over a year ago was to provide binary updates for base and kernel. We are excited to announce that we are launching the framework for binary updates today! We still need to tie in the update build script to our continuous integration infrastructure. For now, updates for the hardened/current/master branch of the HardenedBSD repo will be done manually. When we create the next installers/distsets for the HardenedBSD-stable repo, we'll also support updates there. You will notice two new programs, /usr/sbin/hbsd-update and /usr/sbin/hbsd-update-build, which apply and build update packages, respectively. This work was sponsored by G2, Inc, who has an immediate need for binary updates.

Please note that this feature is still experimental. Read on for design documentation.

Introducing secadm 0.3.0-beta-01

Over the last few months, Brian Salcedo has been working on rewriting our secadm tool from scratch. We're excited to announce the first beta release of secadm 0.3.0. User-facing changes in this release include:

  1. secadm set is now secadm load and requires a file path.
  2. secadm list is now secadm show.
    • You can now export the ruleset to different formats with the -f argument! For example, secadm show -f json exports the rules to JSON format.
  3. You can now add/remove rules one at a time with secadm add and secadm del.
  4. You can now enable/disable rules one at a time with secadm enable and secadm disable.
  5. UCL rule language is nearly the same.

Please give this release a try. You can download the tarball here and the GPG signature here. If you find any issues, please email Brian Salcedo (brian.salcedo {at} hardenedbsd.org) and CC Shawn Webb (shawn.webb {at} hardenedbsd.org).

Follow this example for the new UCL syntax:

secadm {
    pax = {
        path = "/usr/local/bin/testpie";
        aslr = false;
    }
}

Update 2015-11-22 21:58 EST: An issue was found with the PAGEEXEC and MPROTECT feature parsing. The version number has been bumped to 0.3.0-beta-02 and the links have been updated accordingly.

Pages

Subscribe to HardenedBSD RSS