[nycbug-talk] BSD Chapter in HLE
Dru
dlavigne6 at sympatico.ca
Fri Sep 15 13:23:11 EDT 2006
Hacking Linux Exposed is going to its third edition and I've been asked to
write a chapter on BSD security for this edition. I only get one chapter
and am supposed to provide an overview of the security features available
in *BSD.
A draft outline is appended. I plan to showcase the features common to
FreeBSD, NetBSD, and OpenBSD as well as point out any features which may not
be currently available in all 3.
My question to the list is: is this draft missing any features which
should be mentioned? Should I mention the ability to strip kernels and
build world/build.sh? What about OpenBSD propolice? What about Coverity
audits being integrated into engineering processes?
Cheers,
Dru
---
Overview of BSD Projects
- brief history (2-3 sentences)
- overview of NetBSD, FreeBSD, OpenBSD projects
- brief note of FreeBSD forks (PC-BSD, DesktopBSD)
Built-in security features
- minimal install (secure by default)
- periodic security scripts
- sysctl
- chflags
- PAM
- /etc/ttys
- /etc/ssh/sshd_config
- blowfish support
- encrypted (filesystem) support (cfs, cgd, gbde, geli)
- veriexec
- securelevel
- system accounting
- rc.conf
TrustedBSD Extensions
- ACLs
- MAC policies
- OpenBSM
pf Firewall Features
- CARP
- ALTQ
- stateful tracking (connection limiting, synproxy)
- direct manipulation of state table
- OS fingerprinting
- traffic normalization
- state modulation
Securing Applications
- jail (sysjail)
- portaudit, audit-packages
- vuxml
BSD Security Advisories
- overview of advisory format
- overview of security officer/team
- URLs to advisory lists
Additional BSD Resources
- URLs to FreeBSD Handbook, NetBSD Guide, OpenBSD Guide
More information about the talk
mailing list