OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: lattera on March 06, 2016, 03:56:49 pm
-
I'm excited to announce yet another experimental OPNsense + HardenedBSD build! This build brings OpenSSL updates along with more HardenedBSD 11-CURRENT goodness. Also in the build is a brand spankin' new feature called Integriforce Whitelist.
Integriforce is a feature in which all executable files along with the shared objects they depend on in the filesystem are hashed. The hashes are loaded into the kernel and when it comes time to execute an application, the hash is checked. If the hash doesn't match, execution is forbidden. Where whitelisting comes into play is if an application or the shared objects it depends on is not in the list of hashes at all, execution is forbidden.
So, you get two things: data integrity of executables and application whitelisting. The NSA (https://www.youtube.com/watch?v=bDJb8WOJYdA) recently stated that application whitelisting along with exploit mitigations make their lives extremely difficult.
I haven't had the time to fix wireless (major changes involved), debug pfsync, or fix binary updates. So those usual caveats apply here. To update an existing installation: backup your config, reinstall, restore your config.
Download here (https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-09-16.1/)
-
As before I will try out the installation on Hyper-V.
Hopefully the network adapter is detected this time.
Downloading has to wait a bit longer it seems.
The site it quite unresponsive atm. Getting time outs.
-
As before I will try out the installation on Hyper-V.
Hopefully the network adapter is detected this time.
Thanks! There have been a lot of Hyper-V related commits by upstream FreeBSD, especially related to networking.
Downloading has to wait a bit longer it seems.
The site it quite unresponsive atm. Getting time outs.
Hey Franco, think you could mirror the files? ;)
-
Thanks, Shawn, super cool! I've added the files to the mirror and they are currently syncing, try any of these in a few hours:
https://opnsense.c0urier.net/snapshots/hbsd-exp-09/ (Sweden)
http://mirror.wjcomms.co.uk/opnsense/snapshots/hbsd-exp-09/ (UK)
http://mirror.sfo12.us.leaseweb.net/opnsense/snapshots/hbsd-exp-09/ (US West Coast)
http://mirrors.nycbug.org/pub/opnsense/snapshots/hbsd-exp-09/ (US East Coast)
https://opnsense.aivian.org/snapshots/hbsd-exp-09/ (China)
-
Thanks a lot, Franco! I appreciate it!
-
I've now published a new build that has the pfSense and OPNsense vulnerability fixes, along with PIEified base and base compiled with RELRO + BIND_NOW (brand spankin' new features hot off the press from HardenedBSD). The usual caveats apply (no wireless, no pfsync, no binary updates) due to ENOTIME. Integriforce in whitelisting mode is still active and working flawlessly.
Download here: https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-10-16.7/
I'm running it with Suricata in IPS mode and OpenVPN client enabled at home. Let me know if you have any issues.
-
Also, Weust, FreeBSD made changes to HYPERV thingies. Can you let me know if you upgrade and if it succeeds/fails?
-
I pushed them to the mirrors and they should sync soon, e.g.:
http://mirror.wjcomms.co.uk/opnsense/snapshots/hbsd-exp-10/
Hyper-V changes have been a bit of back and forth, but I think the current 11-CURRENT is ok.
PS: Thanks Shawn for providing a new build with your busy schedule! :)
-
Downloaded the ISO and will test and report tonight.
-
New builds have been published. Usual caveats apply. To upgrade: backup your config, reinstall, restore config. This build includes the OpenSSL fixes and application of PIE + RELRO + BIND_NOW to more programs. You'll notice that I'm also not doing any Netgate builds and that I now support PC-Engines APU2.
Download here: https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-11-16.7/
-
Will this include the memory leaks fixes in FreeBSD you mentioned, that I possibly ran in to?
-
FreeBSD has been going to town on code correctness, including fixing memory leaks in various places. Whether this fixes your specific memory leak is another issue. I'm unsure where your memory leak is coming from as it stands. However, I've got this build installed on multiple appliances and am keeping an eye on it.
-
I started to keep a log last night, to note down the memory usage (from the Dashboard) every day.
Will start over once I've installed Exp 11.