/r/hardenedbsd
Founded in 2014 by Oliver Pinter and Shawn Webb, HardenedBSD is a security-enhanced fork of FreeBSD. Our primary goal is to provide a clean-room reimplementation of the publicly-documented parts of the grsecurity patchset for Linux.
/r/hardenedbsd
I've use HardenedBSD for a while, but its been a long time since I tried using it as a Desktop. I remember having to use secadm rules in the past to make firefox work. I installed secadm and rebooted to see it start up with the system. I found examples online like this:
pax {
path: "/usr/local/lib/firefox/firefox",
mprotect: false,
disallow_map32bit: false,
pageexec: false,
}
And like this:
pax {
path: "/usr/local/lib/firefox/firefox",
mprotect: false,
disallow_map32bit: false,
pageexec: false,
}
Both of these say 'No Rules' when I load them from a file:
# secadm load /usr/local/etc/firefox.rules
No rules.
l don't know, but most of the links I found were from 2018 or 2016. I assume this has changed. Anyone know how to do this now?
Anyone build SoloBSD using HardenedBSD lately? I know that SoloBSD is not HardenedBSD, but it seemed this problem could come from Solo or HardenedBSD. I downloaded the latest version from this github. I've tried building with this as root:
make iso CUSTOM=1 BUILDWORLD=1 BUILDKERNEL=1 ROOTHACK=1
It has repeated failed like this while trying a make clean
in between builds:
cat /usr/src/tests/sys/vmm/vmm_cred_jail.sh >>vmm_cred_jail.tmp chmod +x vmm_cred_jail.tmp mv vmm_cred_jail.tmp vmm_cred_jail ===> tests/atf_python (all) ===> tests/atf_python/sys (all) ===> tests/atf_python/sys/net (all) ===> tests/atf_python/sys/netlink (all) ===> tests/atf_python/sys/netpfil (all) ===> tests/atf_python/sys/netpfil/ipfw (all) ===> etc (all) ===> etc/termcap (all) set -e; (echo "# AUTOMATICALLY GENERATED FROM basename /usr/src/share/termcap/termcap"; for tcname in SC cons25 co ns25-m cons25-w cons25l1 cons25l1-m cons25l1-w cons25l2 cons25l2-m cons25l7 cons25l7-m cons25r cons25r-m cons25r-mv cons25r-v cons25w cons30 cons30-m cons30-w cons30l1 cons30l1-m cons30l1-w cons30l2 cons30l2-m cons30l7 cons30l7-m con s30r cons30r-m cons30r-mv cons30r-v cons43 cons43-m cons43-w cons43l1 cons43l1-m cons43l1-w cons43l2 cons43l2-m cons 43l7 cons43l7-m cons43r cons43r-m cons43r-mv cons43r-v cons50 cons50-m cons50-w cons50l1 cons50l1-m cons50l1-w cons5 0l2 cons50l2-m cons50l7 cons50l7-m cons50r cons50r-m cons50r-mv cons50r-v cons60 cons60-m cons60-w cons60l1 cons60l1- m cons60l1-w cons60l2 cons60l2-m cons60l7 cons60l7-m cons60r cons60r-m cons60r-mv cons60r-v ecma[+]italics vt100 xte rm xterm-basic xterm-clear xterm-color xterm-new xterm-r6 xterm-r6-clear; do echo; awk "/${tcname}[:|]/{ f = 1; pr int; next } /[\t]/{ f = 0 } f" /usr/src/share/termcap/termcap; done) > termcap.small ===> etc/sendmail (all) rm -f freebsd.cf m4 -D_CF_DIR_=/usr/src/contrib/sendmail/cf/ -D_NO_MAKEINFO_ /usr/src/contrib/sendmail/cf/m4/cf.m4 /usr/src/etc/send mail/freebsd.mc > freebsd.cf chmod 444 freebsd.cf rm -f freebsd.submit.cf m4 -D_CF_DIR_=/usr/src/contrib/sendmail/cf/ -D_NO_MAKEINFO_ /usr/src/contrib/sendmail/cf/m4/cf.m4 /usr/src/etc/send mail/freebsd.submit.mc > freebsd.submit.cf chmod 444 freebsd.submit.cf 4257.15 real 2535.48 user 1718.15 sys -------------------------------------------------------------- >>> World build completed on Mon Jan 15 06:37:16 UTC 2024 >>> World built in 24631 seconds, ncpu: 4 -------------------------------------------------------------- Building kernel KERNCONF=SBSD-SEC ...make[2]: "/usr/src/Makefile.inc1" line 337: SYSTEM_COMPILER: Determined that CC=c c matches the source tree. Not bootstrapping a cross-compiler. make[2]: "/usr/src/Makefile.inc1" line 342: SYSTEM_LINKER: Determined that LD=ld matches the source tree. Not bootstr apping a cross-linker. make[2]: "/usr/src/Makefile.inc1" line 1712: Missing KERNCONF /usr/src/sys/amd64/conf/SBSD-SEC make[2]: stopped in /usr/src *** Error code 1 Stop. make[1]: stopped in /usr/src *** Error code 1 Stop. make: stopped in /home/user/SoloBSD
The problem seems to be that /usr/src/sys/amd64/conf/SBSD-SEC is not found. I have inspected both the download from github and the rest of my device, but there is no file with this name:
# locate -c SBSD-SEC
0
I didn't see anything about this in the README, BUILD or INSTALL files, but I've missed things before. Its either an issue with me, the files have changed inside /usr/src/sys/amd64/conf/ with HardenedBSD or something has changed with the github of SoloBSD. Any advice appreciated.
How do I build a custom kernel on hbsd? I wanted to see if I could implement DEP and SROP mitigation, but the first step is to rebuild the kernel since DEP is not enabled. I tried building it like I would in FreeBSD:
# make buildkernel KERNCONF=/usr/src/sys/amd64/conf/GENERIC
make: don't know how to make buildkernel. Stop
make: stopped in /usr/ports
So I checked online and found a script associated with kernel builds here:
https://github.com/HardenedBSD/tools/blob/master/build_hbsd_kernel_64bit.csh
This code seems to have some problems though. First off, this is written twice in it:
if ( "`sysctl -n security.bsd.hardlink_check_uid`" == "1" ) then
echo "build will fail, due to hard security checks"
echo "sysctl security.bsd.hardlink_check_uid=0"
exit
endif
if ( "`sysctl -n security.bsd.hardlink_check_uid`" == "1" ) then
echo "build will fail, due to hard security checks"
echo "sysctl security.bsd.hardlink_check_uid=0"
exit
endif
Even if I enter sysctl security.bsd.hardlink_check_gid=0 as it suggests it still displays the same error. I tried commenting those lines out, but then I got:
# ./build_hbsd_kernel_64bit.csh
build source dir: hardenedBSD.git
ln: /tmp/amd64-cc-log-/home/user.last: No such file or directory
tee: /tmp/amd64-cc-log-/home/user-20231216201044: No such file or directory
/usr/data/source/git/opBSD/hardenedBSD.git: No such file or directory.
Maybe I'm missing some steps, or there's a better way to build a kernel on hbsd now. Anyone has advice let me know.
Title pretty much says it. I'm wondering if it would be possible to use a port from OpenBSD is possible. I've seen Shawn Web advice folks to not use pf with Hardened BSD due to the source coming from FreeBSD and it hasn't been updated for years. I understand OpenBSD's version is more up to date. Also wondering if this goes against any licensing? I'm sure if it didn't someone would have done this already, but I figure its worth asking.
Hey guys!
I'm not exactly expecting to get a swift response to this post as this subreddit isn't even setup properly and honestly just looks like a bunch of tumbleweeds (no offense) - - but here I go.
Which version of BSD is better to run as a Desktop Operating System in 2023? Being tired of Linux and wanting to venture off into different Kernels and Operating Systems entirely i've landed in the world of BSD.
Doing research to see which BSD version is more secure (as being quite a security paranoid person) seems near impossible as every post about the subjects is from either 2020 or mid 2016.
Which BSD version has more packages, ease-of-use, better security (out of the box) and good updates?
The FreeBSD community seems very active both on Reddit and their own 40K+ member forums which I like compared to the other two versions and also has a great handbook. OpenBSD seems to have a very mixed audience. Some despise the platform and think the whole "security" thing is false marketing but others seem to praise it and call it the best thing since bread and butter. HardenedBSD honestly doesn't seem to have too much discussion other than the official website which is quite irritating hence me popping on her to ask.
If i'm correct here, As HardenedBSD is just a more secure remix of the FreeBSD OS it will have the same patches, packages and same handbook rules as FreeBSD right????
So then what's the advantage over HardenedBSD and OpenBSD?
Would be great to get a reply, if possible lol.
Thanks, Bezzzles :D
Hey, everyone!
I am an OpenBSD user currently considering installing hardenedBSD on my laptop. While I love OpenBSD, unfortunately it lacks some important features that I want and those are Steam and VMs.
Steam runs pretty well for me on FreeBSD, how well does the linuxulator work on hardenedBSD given that 32 bit libraries are missing? Are binary nvidia drivers available?
How well does bhyve work on hardenedBSD?
The question may sound a little strange, so here's the background: As one of our tasks for the Advance!BSD project we're looking at configuration management. One candidate is an application written in Rust that uses the os_info crate to detect which OS it runs on. A year ago this library knew nothing about *BSD at all but now it recognizes the four main BSDs (OpenBSD support is about to be merged).
HardenedBSD as well as MidnightBSD get detected as FreeBSD (as that's the platform they claim to be as far as the Rust compiler is concerned). While one could argue that it's close enough, we think it makes sense to want to treat HardenedBSD differently from FreeBSD (e.g. when setting sysctls and such). Hence the question: What is the best way to do this?
For MidnightBSD it's as simple as running "uname" as the output is "MidnightBSD". But HardenedBSD identifies as "FreeBSD" in this regard. Should we check against "uname -r" and see if the version string ends in "-HBSD"? Is this expected to remain a valid test in the future or is there a better solution?
I seem to be unable to update a fresh install of HardenedBSD-13. I get the error
empty: flags (“schg” is not “none” ./efi/: Can’t restore time
I don’t think I did anything unusual during the installation, other than ticking all the hardening options. Is it intended for the updater to be broken on a fresh install? How do I fix it?
Hi
Firefox crashes with a memory fault. I figure is got something to do with jails or memory management security feature implemented in hardenedbsd. Trying to save a bit a time, if anyone has run into this would welcome any suggestions.
update
I got firefox to work in virtual machine with the same packages so don't feel its the configuration or hardenbsd. I am using the nvidia-drivers on the bare metal so may have something to do with that.
update
firefox runs with safemode enabled
logs when it crashes
Oct 18 14:01:52 ii9 kernel: [488] [HBSD SEGVGUARD] [/usr/local/bin/firefox (26426)] Suspension expired.
Oct 18 14:01:52 ii9 kernel: [488] -> pid: 26426 ppid: 18196 p_pax: 0x659<PAGEEXEC,NOMPROTECT,SEGVGUARD,ASLR,NOSHLIBRANDOM,DISALLOWMAP32BIT>
Oct 18 14:01:58 ii9 kernel: [494] pid 26426 (firefox), jid 0, uid 1001: exited on signal 11 (core dumped)
Hi,
Is it not possible to make HardenedBSD easier for Desktop users just like GhostBSD ?
I mean a DE (something lightweight like XFCE or MATE) included by default.
A live mode so that users can test their hardware before install.
A network manager just like the one included in GhostBSD so that desktop users can connect to WiFi easily.
If a GUI package manager is added later I really don't care coz I use the terminal under Linux.
But if I have to edit a text file to connect to WiFi then honestly I am not ready for that.
I am trying to install hardernedbsd on real hardware and i am running into the same issue every time. When i try to use pkg, i get the error:
Bootstrapping pkg from pkg+http//pkgs.hardernedbsd.org/HardernedBSD/pkg/FreeBSD:14:amd64/Latest/pkg.txz: No address record
Address resolution failed for http//pkgs.hardernedbsd.org/HardernedBSD/pkg/FreeBSD:14:amd64
Consider changing PACKAGESITE.
Any help would be appreciated.
Before I write up a lengthy technical post, I'm curious if the community would like to see a walkthrough of setting up HBSD 13-stable to use as a daily use desktop system. I run HBSD on most of my servers and have preferred FreeBSD for my workstation over any linux distro, so eventually I switched that to HBSD as well.
This system has been in service since November back when 13-current was still in development. It's been a great experience overall, so it's sad to see people post issues about stability and decide to give up; perhaps a success story would be helpful.
Hey I got a wild hair up my ass and nuked my FreeBSD 12.2 install and installed HardenedBSD 13.0-current with zfs. Everything installed fine, but in console mode within the first hour sh crashed and coredumped twice, sending me back to login while using mv and cp with files I backed up on a usb. Is the development branch too unstable for regular usage? I haven't even installed Xorg yet.
My machine is a Lenovo Thinkpad T420
I really gave HBSD a go for a week as a desktop system. In console mode, HBSD is great. I think HBSD is great for server use and I would totally be ready to deploy HBSD for a costumer if OpenBSD didn't meet their needs but they still need extra security. However HBSD as a desktop machine is a complete headache imho. Being able to use the FreeBSD forums is a standard. Most importantly, unless you want to use old html only web browser like dillo, netsurf or links framebuffer, your out of luck surfing the modern web. Frankly Firefox and Chrome are basically failing on both FreeBSD and HBSD. They disappear from those repos frequently. But I'm not so normied that I can't use qutebrowser, vimb or luakit. Well none of these work on HBSD, even after disabling mprotect, pageexec, aslr (using hbsd-control). Webkitgtk will straight brick the system after 3-5 minutes of use in vimb. Luakit doesn't work period and qutebrowser fails to build. It's the same with FreeBSD for qutebrowser, firefox and chrome so it's not a problem specific to this project. But overall, frankly OpenBSD is kicking FreeBSD and HBSD's ass for desktop usage, they always have Chrome and Firefox ready to go and they work fine. They don't have qutebrowser yet but suckless surf and luakit work. And this is coming from a person that plays around on these systems for months on different hardware.
Hi, I'd like to install hbsd but I have some doubts about the securing the browser. Is there in hbsd something like apparmor in linux or pledge+unveil in openbsd ? If not is there any other alternative way to confine the browser ? I mean to prohibit the browser to around the filesystem. Thank you
So there's a Python network application which is dependent on dbus, and I've noticed that if you pretty much ask any FreeBSD developer or even user they will tell you that dbus is the spawn from hell.
I myself am not yet in a position from which I can evaluate that, unfortunately.
So I was wondering what downsides and risks I'd be exposed to if I install dbus on a HardenedBSD system.
vera++ used to be available via pkg
, but in 12.1-STABLE no such package is found. What happened to this analyzer tool?