[nycbug-talk] BSD Chapter in HLE

[Dru]

Hacking Linux Exposed is going to its third edition and I've been asked to 
write a chapter on BSD security for this edition. I only get one chapter 
and am supposed to provide an overview of the security features available 
in *BSD.

A draft outline is appended. I plan to showcase the features common to 
FreeBSD, NetBSD, and OpenBSD as well as point out any features which may not
be currently available in all 3.

My question to the list is: is this draft missing any features which 
should be mentioned? Should I mention the ability to strip kernels and 
build world/build.sh? What about OpenBSD propolice? What about Coverity 
audits being integrated into engineering processes?

Cheers,

Dru

---

Overview of BSD Projects
 	- brief history (2-3 sentences)
 	- overview of NetBSD, FreeBSD, OpenBSD projects
 	- brief note of FreeBSD forks (PC-BSD, DesktopBSD)

Built-in security features
 	- minimal install (secure by default)
 	- periodic security scripts
 	- sysctl
 	- chflags
 	- PAM
 	- /etc/ttys
 	- /etc/ssh/sshd_config
 	- blowfish support
 	- encrypted (filesystem) support (cfs, cgd, gbde, geli)
 	- veriexec
 	- securelevel
 	- system accounting
 	- rc.conf

TrustedBSD Extensions
 	- ACLs
 	- MAC policies
 	- OpenBSM

pf Firewall Features
 	- CARP
 	- ALTQ
 	- stateful tracking (connection limiting, synproxy)
 	- direct manipulation of state table
 	- OS fingerprinting
 	- traffic normalization
 	- state modulation

Securing Applications
 	- jail (sysjail)
 	- portaudit, audit-packages
 	- vuxml

BSD Security Advisories
 	- overview of advisory format
 	- overview of security officer/team
 	- URLs to advisory lists

Additional BSD Resources
 	- URLs to FreeBSD Handbook, NetBSD Guide, OpenBSD Guide