HardenedBSD secadm 0.3.0 Released

We at HardenedBSD have been hard at work on secadm. Brian Salcedo rewrote core parts of secadm, making it much more efficient. As part of the rewrite, the rule syntax has changed. Please refer to the new secadm.conf(5) manpage for details on the new syntax.

Here's what has changed between secadm 0.2 and secadm 0.3.0:

  • Rewritten backend
  • Integriforce dedup - more on this below
  • Integriforce in whitelist mode - more on this below
  • manpages! secadm(8) and secadm.rules(5)
  • Allow modification and deletion of files that have rules pertaining to them if the rule is disabled
  • Various bugfixes

Integriforce in whitelist mode is a form of verified application whitelisting. When Integriforce is set in whitelisting mode, all desired applications along with their shared objects must have an Integriforce rule. The rtld should also have an Integriforce rule. If an application attempts to start and there is no Integriforce rule for that application or the shared objects it depends on, execution is denied. Whitelisting is only enforced when explicitly enabled and there is at least one Integriforce rule loaded.

As we at HardenedBSD found out with the new rewrite, in the beta releases of secadm 0.3, it was not possible to have Integriforce rules loaded for two files that were hardlinks to each other, like /bin/[ and /bin/test. secadm 0.3 now supports that, but will disregard the second (or following) rules. Both files are still protected as they really point to the same underlying file. As a result, if a hash mismatch occurs, the filename printed out refers to the first rule that matches the hardlinked file.

Download secadm 0.3.0 here. GPG signature is here

Ogma Promoted to Inductee, VulnTrack Released

Congratulations to Ogma for being promoted to the rank of SOLDIERX Inductee. After much hard work, he has released his first project - VulnTrack. VulnTrack monitors the NIST vulnerability feed and compares it against your config file. When there is a pattern match (based on your configuration), VulnTrack alerts you by email and/or desktop notification. We hope that Ogma keeps up the hard work - as we hope to see him make it to full SX Crew in the near future.

In other news, with Ogma's promotion there are new openings for recruits. If you are interested in joining SX, please click here.

RoboAmp 1.0.2 Released and Wallpaper Contest Extended

Due to some changes to google voice, RoboAmp 1.0.1 stopped working. RoboAmp has been updated to adapt to these changes, as well as a few other minor changes. You can get the new version here. If you would like to see more changes to RoboAmp or any of our other SX Labs releases, please drop by for our IRC meetings on Wednesdays at 3 PM EST.

In other news, the 2015 Wallpaper Contest has been extended until April 20th, 2016. Please keep those submissions coming!

OPNSense 16.1.1 + HardenedBSD 11-CURRENT Released

I've published a new build of OPNSense 16.1.1 with HardenedBSD 11-CURRENT! You can grab the build from here: download.

Future things to work on:

  1. Wireless isn't working. This is likely due to the new 802.11 stack in FreeBSD 11-CURRENT causing issues with the network interface code in OPNSense. Part of the problem is that the raw wireless device is now hidden from `ifconfig`.
  2. binary updates are now not supported. I've yet to get time to work on binary updates. So, to update to a future version, you'll need to do the usual config backup, reinstall, config restore.
  3. pfsync is still disabled. I'm unsure as to why this causes a kernel panic. If you are a C developer with time on your hands and want to tackle this, that'd be freaking awesome and very much appreciated.

For item #1, I've started work on getting wireless working with this commit. I need to ping Adrian Chadd to figure out how to get the MAC address and the other bits from ifconfig that are now hidden that the network interface code expects without having to do a temporary clone of the device.

For item #2, OPNSense recently revamped how they provide binary updates for base. HardenedBSD now has an official binary updating mechanism as well (thanks G2, Inc for sponsoring the work!). Instead of using OPNSense's updating mechanism, I'd rather eat my own dogfood and use hbsd-update. More info about hbsd-update can be found here.

Introducing HardenedBSD's New Binary Updater

One feature our users have been asking us ever since we officially launched over a year ago was to provide binary updates for base and kernel. We are excited to announce that we are launching the framework for binary updates today! We still need to tie in the update build script to our continuous integration infrastructure. For now, updates for the hardened/current/master branch of the HardenedBSD repo will be done manually. When we create the next installers/distsets for the HardenedBSD-stable repo, we'll also support updates there. You will notice two new programs, /usr/sbin/hbsd-update and /usr/sbin/hbsd-update-build, which apply and build update packages, respectively. This work was sponsored by G2, Inc, who has an immediate need for binary updates. Read on for the full design specification.

Weekly IRC Meetings and Wallpaper Contest

It's been awhile since I've posted any news as I've been focused on some back end changes (*cough* new server) as well as VIP content. Things are moving slower than I'd like, but I'm happy that we're still making progress. The point of this news post is mostly to announce that we're moving our weekly IRC meetings from Thursdays at 4pm EST to Wednesdays at 3pm EST. We've had a number of complaints about the later time on Thursdays as well as most of our crew feeling that Wednesdays are the least busy day. This is effective immediately, so we will be having an IRC meeting today.

The other thing I wanted to mention is that we haven't received that many entries for our 2015 Wallpaper Contest. If you have art skills or know anybody that does, please enter our contest with a submission. The number of submissions will influence our decision to create other contests, as there's no point in making contests if the community isn't interested in participating.

Syndicate content