[nycbug-talk] BSD Chapter in HLE

[George R.]

Dru wrote:
> Hacking Linux Exposed is going to its third edition and I've been asked to 
> write a chapter on BSD security for this edition. I only get one chapter 
> and am supposed to provide an overview of the security features available 
> in *BSD.

so it's a focus on "features" and not the os itself?

> 
> A draft outline is appended. I plan to showcase the features common to 
> FreeBSD, NetBSD, and OpenBSD as well as point out any features which may not
> be currently available in all 3.
> 
> My question to the list is: is this draft missing any features which 
> should be mentioned? Should I mention the ability to strip kernels and 
> build world/build.sh? What about OpenBSD propolice? What about Coverity 
> audits being integrated into engineering processes?
> 
> Cheers,
> 
> Dru
> 
> ---
> 
> Overview of BSD Projects
>  	- brief history (2-3 sentences)
>  	- overview of NetBSD, FreeBSD, OpenBSD projects
>  	- brief note of FreeBSD forks (PC-BSD, DesktopBSD)

I think the pete point is important . . kernel v everything else is a
huge issue. . . the hierarchy of development (v. the anarchy of linux!)

it's worth mentioning the scarcity of kernel vulnerbilities v linux
also.  i know you don't want to compare too much. . . but. . .

and add in ports/pkg_src, etc. . . checksum checks. . .

> 
> Built-in security features
>  	- minimal install (secure by default)

compare a top output from new install. . . particularly obsd.

>  	- periodic security scripts
>  	- sysctl
>  	- chflags
>  	- PAM

do all have PAM support now?

>  	- /etc/ttys
>  	- /etc/ssh/sshd_config

question of root enabled by default, although I think this has changed
now with obsd.

>  	- blowfish support
>  	- encrypted (filesystem) support (cfs, cgd, gbde, geli)
>  	- veriexec
>  	- securelevel
>  	- system accounting
>  	- rc.conf

> 
> TrustedBSD Extensions
>  	- ACLs
>  	- MAC policies
>  	- OpenBSM
> 
> pf Firewall Features
>  	- CARP
>  	- ALTQ
>  	- stateful tracking (connection limiting, synproxy)
>  	- direct manipulation of state table
>  	- OS fingerprinting
>  	- traffic normalization
>  	- state modulation
> 

you should probably put in *some* discussion of ipf and ipfw. .. but
then break into pf as not your ordinary packet filter.

> Securing Applications
>  	- jail (sysjail)

jails, yes, but is sysjail anywhere yet?

and chroot?

>  	- portaudit, audit-packages
>  	- vuxml
> 
> BSD Security Advisories
>  	- overview of advisory format
>  	- overview of security officer/team
>  	- URLs to advisory lists
> 
> Additional BSD Resources
>  	- URLs to FreeBSD Handbook, NetBSD Guide, OpenBSD Guide

add swap encryption . . . right?

tcp-wrappers. . .

let me think a bit more about this...

g