From owner-freebsd-hackers@FreeBSD.ORG Tue Nov 21 11:59:47 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C93C416A403 for ; Tue, 21 Nov 2006 11:59:47 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87EE643DBB for ; Tue, 21 Nov 2006 11:59:07 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id D944946DA9; Tue, 21 Nov 2006 06:59:27 -0500 (EST) Date: Tue, 21 Nov 2006 11:59:27 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Jeremie Le Hen In-Reply-To: <20061120223407.GF20405@obiwan.tataz.chchile.org> Message-ID: <20061121115555.Y50450@fledge.watson.org> References: <455324F2.9090603@fugspbr.org> <20061120223407.GF20405@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: hackers@freebsd.org, Vini Engel Subject: Re: Hardening FreeBSD, does anyone have any documentation that may help? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Nov 2006 11:59:47 -0000 On Mon, 20 Nov 2006, Jeremie Le Hen wrote: > On Thu, Nov 09, 2006 at 11:54:10PM +1100, Vini Engel wrote: > >> This may not seem to be the best place to ask for this but as this is >> supposed to be a list for high level discussions I am assuming that some >> people have must know how to harden FreeBSD and/or may have articles and >> other docs that can be shared. >> >> We have a set of simple policies that are used to harden FreeBSD machines >> but I would like make it better and also would like to see how people do it >> out there so that I can pick the ideas that we find interesting/useful for >> us here and improve our hardening skills. >> >> Our machines range from dns servers to mail servers and a few >> router/firewalls. Some of them don't have to have anything special but some >> others have to comply with the policy of the highly protected networks that >> they live in, hence the reason why I want to improve my hardening skills. >> >> Any info will be greatly appreciated! > > I have a patch to integrate ProPolice into FreeBSD RELENG_6. Though this is > obviously not officially supported by FreeBSD, some people (including me) > use it on production servers. It might be worth using it, depending on > which security measures you are looking for. > > See http://tataz.chchile.org/~tataz/FreeBSD/SSP/ FYI, Silby gave a nice mini-talk/discussion at EuroBSDCon on the topic of gcc4 security features. It seems like there's a lot of support for having these things in FreeBSD, but a strong reluctance to have large outstanding patchsets against the compiler and build chain, hence the continued "strategy" of waiting for them to arrive in gcc4. Most questions boiled down to: - What are the ABI impacts? Assuming that protection features arrive and depart, and that reasonable application backward compatibility is required for programs and libraries. Of particular interest was the case where we turn on a protection feature in X.Y and discover that this was a bad idea, so turn it off in X.Y+1. - What are the performance characteristics in a variety of real-world workloads? One of the universal comments was that we really think it's great that a patch is being maintained against current FreeBSD releases/branches with this functionality. Robert N M Watson Computer Laboratory University of Cambridge