[CALL FOR TESTING] HardenedBSD's ASLR

[franco]

Super. So to go the extra mile before releasing it to the public, there is one last ASLR test kernel based on the current kernel (16.1.9 as 16.1.10 has no new kernel):

# opnsense-update -kr 16.1.9-aslr && /usr/local/etc/rc.reboot

Report back, even if ok. Thanks everyone!!!

[Solaris17]

I actually cant :/ I cant access my router VIA putty, Im certain the password for root is correct and even logged in via the GUI to change it incase it wasnt and yet I still receive Access Denied when attempting to login via SSH

[fabian]

Is password authentication enabled and allowed?

[Solaris17]

found it, It was; but allow root login wasn't checked.

[packet loss]

I'm using the ASLR based kernel with OPNsense 16.1.10. I'll report back in a few days if I notice any issues.

[franco]

Hello everyone,

All the commits have been moved into place for the new kernel with ASLR.

There is one final testing kernel that y'all can try out and report back. It would be nice to get a note in the form of "now running amd64 ASLR" or "now running i386 ASLR" respectively so we know that when there are no more reports about issues that we can go full-speed ahead.

The kernel is identical to 16.1.14 except for the ASLR additions. You can upgrade like this:

# opnsense-update -hkr 16.1.14-aslr && /usr/local/etc/rc.reboot

(-h is new, it will register the kernel as 16.1.14 instead so it is not lost on firmware upgrades that do not update the kernel.)

FWIW, now running amd64 ASLR


Cheers,
Franco

PS: You can confirm ASLR using the following command...

# dmesg | grep HBSD

[interfaSys]

Would be great to have a branch on Github for people who compile their own kernel

[franco]

The commits have been on the master branch of src.git for almost two months now.

The stable branches have been adjusted yesterday to build ASLR too.

I am unsure what you are referring to?

[interfaSys]

The commits have been on the master branch of src.git for almost two months now.

I saw 2 commits in March, but didn't know if changes were made after that.

The stable branches have been adjusted yesterday to build ASLR too.

I built "stable/16.1" yesterday, but didn't get a kernel with ASLR. I see now that there was a new commit made after my build, so will try again

[franco]

There were no changes after the merge on March 28. The only thing I had to change was to move the build options out of GENERIC (that was the third commit actually).

Build errors can happen on the master branches, questions can always be asked. For master there is still a bit of work to do with ports (e.g. the impending mpd4 removal) yet some things need to be stuck in order for stable to still work in the first place. Lots of bits and bolts, but nothing that a conversation and a manual edit can't solve.

Let me know how your build goes.

[interfaSys]

Building went fine. Same warnings were shown. I didn't see any new messages.
Same when running it, same old problems, nothing new so far

[interfaSys]

Oh yeah and I can't wait for PIE