[nycbug-talk] BSD Chapter in HLE
george at sddi.net
Fri Sep 15 13:58:37 EDT 2006
> Hacking Linux Exposed is going to its third edition and I've been asked to
> write a chapter on BSD security for this edition. I only get one chapter
> and am supposed to provide an overview of the security features available
> in *BSD.
so it's a focus on "features" and not the os itself?
> A draft outline is appended. I plan to showcase the features common to
> FreeBSD, NetBSD, and OpenBSD as well as point out any features which may not
> be currently available in all 3.
> My question to the list is: is this draft missing any features which
> should be mentioned? Should I mention the ability to strip kernels and
> build world/build.sh? What about OpenBSD propolice? What about Coverity
> audits being integrated into engineering processes?
> Overview of BSD Projects
> - brief history (2-3 sentences)
> - overview of NetBSD, FreeBSD, OpenBSD projects
> - brief note of FreeBSD forks (PC-BSD, DesktopBSD)
I think the pete point is important . . kernel v everything else is a
huge issue. . . the hierarchy of development (v. the anarchy of linux!)
it's worth mentioning the scarcity of kernel vulnerbilities v linux
also. i know you don't want to compare too much. . . but. . .
and add in ports/pkg_src, etc. . . checksum checks. . .
> Built-in security features
> - minimal install (secure by default)
compare a top output from new install. . . particularly obsd.
> - periodic security scripts
> - sysctl
> - chflags
> - PAM
do all have PAM support now?
> - /etc/ttys
> - /etc/ssh/sshd_config
question of root enabled by default, although I think this has changed
now with obsd.
> - blowfish support
> - encrypted (filesystem) support (cfs, cgd, gbde, geli)
> - veriexec
> - securelevel
> - system accounting
> - rc.conf
> TrustedBSD Extensions
> - ACLs
> - MAC policies
> - OpenBSM
> pf Firewall Features
> - CARP
> - ALTQ
> - stateful tracking (connection limiting, synproxy)
> - direct manipulation of state table
> - OS fingerprinting
> - traffic normalization
> - state modulation
you should probably put in *some* discussion of ipf and ipfw. .. but
then break into pf as not your ordinary packet filter.
> Securing Applications
> - jail (sysjail)
jails, yes, but is sysjail anywhere yet?
> - portaudit, audit-packages
> - vuxml
> BSD Security Advisories
> - overview of advisory format
> - overview of security officer/team
> - URLs to advisory lists
> Additional BSD Resources
> - URLs to FreeBSD Handbook, NetBSD Guide, OpenBSD Guide
add swap encryption . . . right?
tcp-wrappers. . .
let me think a bit more about this...
More information about the talk