[nycbug-talk] BSD Chapter in HLE

Peter Wright pete at nomadlogic.org
Fri Sep 15 13:37:08 EDT 2006


>
> Hacking Linux Exposed is going to its third edition and I've been asked to
> write a chapter on BSD security for this edition. I only get one chapter
> and am supposed to provide an overview of the security features available
> in *BSD.
>
> A draft outline is appended. I plan to showcase the features common to
> FreeBSD, NetBSD, and OpenBSD as well as point out any features which may
> not
> be currently available in all 3.
>
> My question to the list is: is this draft missing any features which
> should be mentioned? Should I mention the ability to strip kernels and
> build world/build.sh? What about OpenBSD propolice? What about Coverity
> audits being integrated into engineering processes?
>

One thing that I think many linux people overlook, or don't understand,
regarding the "bsd way" is that *BSD is an operating system - not a
kernel.  i think this cohesiveness has a *huge* impact in stability and
security.

-pete

> Cheers,
>
> Dru
>
> ---
>
> Overview of BSD Projects
>  	- brief history (2-3 sentences)
>  	- overview of NetBSD, FreeBSD, OpenBSD projects
>  	- brief note of FreeBSD forks (PC-BSD, DesktopBSD)
>
> Built-in security features
>  	- minimal install (secure by default)
>  	- periodic security scripts
>  	- sysctl
>  	- chflags
>  	- PAM
>  	- /etc/ttys
>  	- /etc/ssh/sshd_config
>  	- blowfish support
>  	- encrypted (filesystem) support (cfs, cgd, gbde, geli)
>  	- veriexec
>  	- securelevel
>  	- system accounting
>  	- rc.conf
>
> TrustedBSD Extensions
>  	- ACLs
>  	- MAC policies
>  	- OpenBSM
>
> pf Firewall Features
>  	- CARP
>  	- ALTQ
>  	- stateful tracking (connection limiting, synproxy)
>  	- direct manipulation of state table
>  	- OS fingerprinting
>  	- traffic normalization
>  	- state modulation
>
> Securing Applications
>  	- jail (sysjail)
>  	- portaudit, audit-packages
>  	- vuxml
>
> BSD Security Advisories
>  	- overview of advisory format
>  	- overview of security officer/team
>  	- URLs to advisory lists
>
> Additional BSD Resources
>  	- URLs to FreeBSD Handbook, NetBSD Guide, OpenBSD Guide
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month
>


-- 
~~oO00Oo~~
Peter Wright
pete at nomadlogic.org
www.nomadlogic.org/~pete
310.869.9459



More information about the talk mailing list