Just wondering if we're going to have to wait for 16.7 to be able to use HardenedBSD and if that will be based on 11-current or if there is something available now, based on 10.2?
Hi there,
There are two tracks to HardenedBSD that surfaced due to different goals and workloads of both projects. The ultimate goal is to get both projects under the same hood some time in the FreeBSD 11 series, or at least get a good portion of HardenedBSD patches back to FreeBSD. If that's 2016 or 2017 is unknown. There are too many factors.
As OPNsense, we've asked HardenedBSD to provide a 10.2-RELEASE version of their patches. The ABI-compatible patches of HardenedBSD will be incorporated into 16.1.x as we get to test them and also know that 16.1's vanilla 10.2 works as expected.
For HardenedBSD, the goal is to go straight for 11-CURRENT, mostly for driver reasons (OPNsense can't offer that on a stable FreeBSD release), but also because we'd not really need duplicated efforts on 10.2 and because they shouldn't work on enhancing older FreeBSD versions.
That being said, Shawn was going to work on a 16.1-based version of HardenedBSD/OPNsense as soon as 16.1 is out, likely based on 11-CURRENT.
Shawn, please correct me if I'm wrong. :)
Cheers,
Franco
Thanks!
The problem with 11-CURRENT is that it can break too easily and with all the different configs out there, you can't be sure that a specific snapshot doesn't break something for someone.
I'm happy with backported patches in base.
FreeBSD / HardenedBSD 10-STABLE is great to use. However, there are certain enhancements from FreeBSD 11-CURRENT (which HardenedBSD syncs from every six hours) that I myself need (mainly, the updates to the ath(4) driver). Though I publish these builds for others to use, they're primarily for my own usage. I just publish them in the hope that others find them useful.
So, I will be basing my OPNSense + HardenedBSD builds based on 11-CURRENT (and, when 11.0 comes out, 11-STABLE). The biggest problem is the changes to the 802.11 stack that remove the raw wireless devices from ifconfig output. That throws a wrench into OPNSense (and I'll assume pfSense as well, though since I have no way to produce my own builds, I can't verify). I'm very slowly working to resolve that issue. My next builds will be published regardless of the status of the fix.
My time is extremely limited these days. I'm holding off doing new builds until 16.1 is published. Once that's published, I need to forward-port my custom patches to our forked OPNSense code. I probably won't release any builds until 16.1.1 (it'll probably take around a week after 16.1 is published to finish the forward port).
With all that said, there's nothing stoping anyone from doing their own builds based on HardenedBSD 10-STABLE (or 10.2-RELEASE). I've even included instructions on how I do builds on my personal blog: http://0xfeedface.org/2015/11/07/hbsd-opnsense.html
Let me know if you have any questions, comments, or concerns.
It all makes sense. I'm considering running the HardenedBSD flavour of FreeBSD 10 for servers, once we migrate from 9. We'll be testing if it works well with gcc5 first.
And regarding OPNsense, we'll wait a bit then for the fork (OPNsense on HardenedBSD) to stabilise to be able to tell the source of problems apart when a service fails. I will play with it in a VM.
Thanks!
Source of the problems, what are you referring to? Open tickets or other issues? :)
My message wasn't very clear.
The fork I was referring to is OPNsense on HardenedBSD.
So if Suricata 3 crashes or IPS doesn't even load (like on 15.7.99), it's easier to track down the issue if working on vanilla OPNsense than if it's running on the hardened version.
Now I got you, yes, indeed. We've also built "opnsense-bootstrap" to make it possible to switch between different flavours more easily in the future as it can cope with incompatibilities in OS and packages. It already works well on FreeBSD transforming it into OPNsense. It will also be used to move to the HardenedBSD flavour in the future. :)
It's official: I've started work on the HardenedBSD + OPNSense 16.1. I'll hopefully have a build I myself will test this weekend and push out for general availability by the end of next week.
Awesome. Looking forward to it!
Here's a little teaser. There's a couple things I gotta do to cleanup, then I'll update to 16.1.1 when that comes out for OpenSSL SA goodness. Then I'll publish the build.
http://imgur.com/1kZLoXZ (http://imgur.com/1kZLoXZ)
(http://i.imgur.com/1kZLoXZ.png)
And now Suricata compiled as a PIE and running in IPS mode.
It does create RWX mappings, though, so I need to double-check why. It doesn't on my HardenedBSD development laptop.
PID START END PRT RES PRES REF SHD FLAG TP PATH
19966 0x21b2d4b6000 0x21b2d6bb000 r-x 497 516 3 2 CN-- vn /usr/local/bin/suricata
19966 0x21b2d8ba000 0x21b2d8be000 r-- 4 0 1 0 CN-- vn /usr/local/bin/suricata
19966 0x21b2d8be000 0x21b2d8c0000 rw- 2 0 1 0 C--- vn /usr/local/bin/suricata
19966 0x21b2d8c0000 0x21b2d8fa000 rw- 55 55 1 0 C--- df
19966 0x2846e3a9000 0x2846e3c8000 r-x 31 32 81 35 CN-- vn /libexec/ld-elf.so.1
19966 0x2846e3c8000 0x2846e3d0000 rw- 8 8 1 0 C--- df
19966 0x2846e3d0000 0x2846e3d1000 rw- 1 1 1 0 ---- df
19966 0x2846e3d1000 0x2846e3f5000 rw- 26 26 1 0 C--- df
19966 0x2846e3f5000 0x2846e5c5000 rwx 452 452 1 0 ---- df
19966 0x2846e5c7000 0x2846e5c8000 rw- 1 0 1 0 CN-- vn /libexec/ld-elf.so.1
19966 0x2846e5c8000 0x2846e5c9000 rw- 1 1 1 0 C--- df
19966 0x2846e5c9000 0x2846e5d6000 r-x 13 13 2 1 CN-- vn /usr/local/lib/libjansson.so.4.7.0
19966 0x2846e5d6000 0x2846e7d5000 --- 0 0 1 0 CN-- df
19966 0x2846e7d5000 0x2846e7d6000 rw- 1 0 1 0 C--- vn /usr/local/lib/libjansson.so.4.7.0
19966 0x2846e7d6000 0x2846e7ee000 r-x 24 25 20 7 CN-- vn /lib/libthr.so.3
19966 0x2846e7ee000 0x2846e9ee000 --- 0 0 1 0 CN-- df
19966 0x2846e9ee000 0x2846e9ef000 rw- 1 0 1 0 C--- vn /lib/libthr.so.3
19966 0x2846e9ef000 0x2846e9fb000 rw- 11 11 1 0 C--- df
19966 0x2846e9fb000 0x2846ea44000 r-x 57 59 4 2 CN-- vn /lib/libpcap.so.8
19966 0x2846ea44000 0x2846ec44000 --- 0 0 1 0 CN-- df
19966 0x2846ec44000 0x2846ec46000 rw- 2 0 1 0 CN-- vn /lib/libpcap.so.8
19966 0x2846ec46000 0x2846ec47000 rw- 0 0 0 0 ---- --
19966 0x2846ec47000 0x2846ecbc000 r-x 117 125 14 4 CN-- vn /usr/local/lib/libpcre.so.1.2.5
19966 0x2846ecbc000 0x2846eebb000 --- 0 0 1 0 CN-- df
19966 0x2846eebb000 0x2846eebc000 rw- 1 0 1 0 C--- vn /usr/local/lib/libpcre.so.1.2.5
19966 0x2846eebc000 0x2846f030000 r-x 372 390 81 35 CN-- vn /lib/libc.so.7
19966 0x2846f030000 0x2846f22f000 --- 0 0 1 0 CN-- df
19966 0x2846f22f000 0x2846f23a000 rw- 11 0 1 0 C--- vn /lib/libc.so.7
19966 0x2846f23a000 0x2846f253000 rw- 13 13 1 0 C--- df
19966 0x2846f253000 0x2846f271000 r-x 30 31 2 1 CN-- vn /usr/local/lib/libhtp-0.5.18.so.1.0.0
19966 0x2846f271000 0x2846f471000 --- 0 0 1 0 CN-- df
19966 0x2846f471000 0x2846f472000 rw- 1 0 1 0 C--- vn /usr/local/lib/libhtp-0.5.18.so.1.0.0
19966 0x2846f472000 0x2846f48f000 r-x 29 29 2 1 CN-- vn /usr/local/lib/libyaml-0.so.2.0.4
19966 0x2846f48f000 0x2846f68e000 --- 0 0 1 0 CN-- df
19966 0x2846f68e000 0x2846f68f000 rw- 1 0 1 0 CN-- vn /usr/local/lib/libyaml-0.so.2.0.4
19966 0x2846f68f000 0x2846f6ad000 r-x 30 31 2 1 CN-- vn /usr/lib/libmagic.so.4
19966 0x2846f6ad000 0x2846f8ac000 --- 0 0 1 0 CN-- df
19966 0x2846f8ac000 0x2846f8ae000 rw- 2 0 1 0 C--- vn /usr/lib/libmagic.so.4
19966 0x2846f8ae000 0x2846f8c3000 r-x 21 22 2 1 CN-- vn /usr/local/lib/libnet11/libnet.so.1.7.0
19966 0x2846f8c3000 0x2846fac3000 --- 0 0 1 0 CN-- df
19966 0x2846fac3000 0x2846fac4000 rw- 1 0 1 0 CN-- vn /usr/local/lib/libnet11/libnet.so.1.7.0
19966 0x2846fac4000 0x2846fac6000 rw- 0 0 0 0 ---- --
19966 0x2846fac6000 0x2846fbbf000 r-x 32 42 2 1 CN-- vn /usr/local/lib/libiconv.so.2.5.1
19966 0x2846fbbf000 0x2846fdbf000 --- 0 0 1 0 CN-- df
19966 0x2846fdbf000 0x2846fdc1000 rw- 2 0 1 0 CN-- vn /usr/local/lib/libiconv.so.2.5.1
19966 0x2846fdc1000 0x2846fdd7000 r-x 22 23 16 5 CN-- vn /lib/libz.so.6
19966 0x2846fdd7000 0x2846ffd7000 --- 0 0 1 0 CN-- df
19966 0x2846ffd7000 0x2846ffd8000 rw- 1 0 1 0 C--- vn /lib/libz.so.6
19966 0x2846ffd8000 0x2846fff8000 rwx 32 32 1 0 ---- df
19966 0x28470000000 0x28472000000 rw- 7678 7678 1 0 C--- df
19966 0x28472000000 0x28473a00000 rw- 6654 6654 1 0 --S- df
19966 0x28473a00000 0x28473db4000 rw- 144 152 1 0 CN-- vn /usr/share/misc/magic.mgc
19966 0x28473db4000 0x28473df4000 rwx 64 64 1 0 ---- df
19966 0x28473e00000 0x28474e00000 rw- 4094 73627 16 0 --S- df
19966 0x28474e00000 0x28474e30000 rwx 48 73627 16 0 ---- df
19966 0x28474e30000 0x28475000000 rwx 445 445 1 0 ---- df
19966 0x28475000000 0x28475e00000 rw- 3584 73627 16 0 --S- df
19966 0x28475e00000 0x28475e10000 rwx 16 73627 16 0 ---- df
19966 0x28475e10000 0x28476000000 rwx 489 489 1 0 ---- df
19966 0x28476000000 0x28477800000 rw- 6144 73627 16 0 --S- df
19966 0x28477800000 0x28477810000 rwx 16 73627 16 0 ---- df
19966 0x28477810000 0x28477a00000 rwx 496 496 1 0 ---- df
19966 0x28477a00000 0x28478600000 rw- 3072 73627 16 0 --S- df
19966 0x28478600000 0x28478640000 rwx 64 73627 16 0 ---- df
19966 0x28478640000 0x28478800000 rwx 448 448 1 0 ---- df
19966 0x28478800000 0x28479200000 rw- 2560 73627 16 0 --S- df
19966 0x28479200000 0x28479220000 rwx 32 73627 16 0 ---- df
19966 0x28479220000 0x28479400000 rwx 480 480 1 0 ---- df
19966 0x28479400000 0x28479e00000 rw- 2560 73627 16 0 --S- df
19966 0x28479e00000 0x28479e20000 rwx 26 73627 16 0 ---- df
19966 0x2847a000000 0x28482000000 rw- 32723 73627 16 0 --S- df
19966 0x28482000000 0x28482400000 rw- 1024 1024 1 0 --S- df
19966 0x28482400000 0x28482e00000 rw- 2560 73627 16 0 --S- df
19966 0x28482e00000 0x28484000000 rw- 4608 4608 1 0 --S- df
19966 0x28484000000 0x28484800000 rw- 1792 73627 16 0 --S- df
19966 0x28484800000 0x28485200000 rw- 2560 12800 2 0 --S- df
19966 0x28485200000 0x28486400000 rw- 2628 2628 1 0 ---- df
19966 0x28487800000 0x2848a000000 rw- 10240 12800 2 0 --S- df
19966 0x2848a800000 0x2848e000000 rw- 14336 73627 16 0 --S- df
19966 0x2848e000000 0x284a2721000 rw- 2586 2586 1 0 ---- dv
19966 0x7ad66f713000 0x7ad66f733000 rw- 3 3 1 0 ---D df
19966 0x7ad66f914000 0x7ad66f934000 rw- 1 1 1 0 ---D df
19966 0x7ad66fb15000 0x7ad66fb35000 rw- 2 2 1 0 ---D df
19966 0x7ad66fd16000 0x7ad66fd36000 rw- 3 3 1 0 ---D df
19966 0x7ad66ff17000 0x7ad66ff37000 rw- 5 5 1 0 ---D df
19966 0x7ad670118000 0x7ad670138000 rw- 10 10 1 0 ---D df
19966 0x7ad670138000 0x7ad670139000 --- 0 0 0 0 ---- --
19966 0x7ad6b00d9000 0x7ad6b0119000 rw- 37 37 1 0 C--D df
19966 0x7ad6b0119000 0x7ad6b0139000 rw- 32 32 1 0 C--- df
19966 0x7fa588f4b000 0x7fa588f4c000 r-x 1 1 49 0 ---- ph
http://imgur.com/2ne88hd (http://imgur.com/2ne88hd)
(http://i.imgur.com/2ne88hd.png)
Looking great!