Have you used HardenedBSD ? Did you like it ?

john_rambo

john_rambo

https://hardenedbsd.org/content/about

I am using GhostBSD. I like it. Its quite user friendly. I searched about which is the most secure OS & found 2. The first one is OpenBSD & the second is HardenedBSD. I care a lot about security so I am curious.
Is HardenedBSD really more secure than GhostBSD/FreeBSD ?
Have you used HardenedBSD ? Did you like it ?
 
gpw928 said:
You might get more feedback form the OPNsense forums, as is is based on HardenedBSD.
Click to expand...
I am at the moment using 4G internet. I am stuck with ISPs router. In future I am going to use a fiber connection. If OPNsense is based on HardenedBSD I will definitely use OPNsense. My plan was to use PFsense but I guess OPNsense is more secure. Thanks for the info.
 
I like both, and I both appreciate those projects, they are very important. I have used HardenedBSD on some servers, however, testing updates was too time-intensive so we switched to FreeBSD. Some updates break stuff so be prepared for that. I hope we do get some of the great features of HardenedBSD upstreamed/ported to FreeBSD because they really make sense. FreeBSD lacks quite some security features compared to other operating systems, but also note that some of those mitigation technologies make the code more complex and might introduce more bugs so this also is a philosophical question.

However, I think (fuzz) testing etc. is better in FreeBSD, so there might be some bugs in HardenedBSD but that is just what my wild feelings are suggesting.

I have used OpenBSD for firewalls, servers and on my personal desktop. The biggest draw for me was that at that time you had to run -current to get pkg-updates in a timely manner, so i switched my desktops to FreeBSD. Plus: i consider having a patched browser more important than having an ultra-secure OS.
 
rootbert said:
. FreeBSD lacks quite some security features compared to other operating systems
Click to expand...
Can you please explain what you mean by that ? Honestly I am a bit scared after reading that.
The only reason I switched from Linux to GhostBSD is because I read BSD is more secure.
 
john_rambo said:
Can you please explain what you mean by that ? Honestly I am a bit scared after reading that.
Click to expand...
Don't be scared. The OP is probably talking about ASLR and W^X, security features that have been implemented in OpenBSD and HardenedBSD. These features are not currently in FreeBSD, but may be added at some point.
john_rambo said:
The only reason I switched from Linux to GhostBSD is because I read BSD is more secure.
Click to expand...
Security isn't a product, it's a process. And any operating system can be rendered insecure through bad practices. OpenBSD is deemed slightly more secure at install by turning off or not loading unneeded services to reduce the attack surface. FreeBSD doesn't do this by default and has been criticised for that here. However, if you follow best security practices then FreeBSD can be as secure as any other general purpose OS.
 
fraxamo said:
Don't be scared. The OP is probably talking about ASLR and W^X, security features that have been implemented in OpenBSD and HardenedBSD. These features are not currently in FreeBSD, but may be added at some point.

Security isn't a product, it's a process. And any operating system can be rendered insecure through bad practices. OpenBSD is deemed slightly more secure at install by turning off or not loading unneeded services to reduce the attack surface. FreeBSD doesn't do this by default and has been criticised for that here.
Click to expand...
Okay, that's a relief. After reading the official doc of GhostBSD I found that the firewall is enabled by default. Other than that what I do is check for updates on a daily basis & install them as soon as they are offered.

In your opinion is that enough ? If not what other steps should I take ?
 
john_rambo said:
Can you please explain what you mean by that ? Honestly I am a bit scared after reading that.
The only reason I switched from Linux to GhostBSD is because I read BSD is more secure.
Click to expand...
The best way to gain confidence and make informed decisions about security is to gain knowledge about what exactly security features protect against, why they do it, benefits and disadvanteages of different ways of doing things etc. – it's a good way to overcome fear and anxiety.

Try some stuff out, try to break it for yourself, test out some security features and weaknesses on a toy system (in a virtual machine, for example) and read reports about real-world security problems. It's a lot of information, and some stuff will be forever mysterious to most people (like the mathematics behind encryption) – but to learn is the best way to gain confidence :)

Oh, and don't forget to talk to others about what you learned. It protects you from "living in your own world" of incomplete information ;)
 
fraxamo said:
OpenBSD is deemed slightly more secure at install by turning off or not loading unneeded services to reduce the attack surface. FreeBSD doesn't do this by default and has been criticised for that here.
Click to expand...
Errr, FreeBSD does that as well. A default installation doesn't have any processes listening and/or reacting to network connections. SSH for example isn't turned on by default unless you set this up yourself.
 
mtu

I was using Linux before & now I am using GhostBSD. One issue that I don't worry about in both these platforms is viruses.
While using Linux I never installed anything outside of the official repos. I still follow that same rule for GhostBSD.

Now the second point >> Click here ...... Why I decided to quit Linux & install BSD.

Officially, Linux is just a kernel. Linux distributions have to do the work of bringing together all the software required to create a complete Linux OS and combining it into a Linux distribution like Ubuntu, Mint, Debian, Fedora, Red Hat, or Arch. There are many different Linux distributions.


In contrast, the BSDs are both a kernel and an operating system. For example, FreeBSD provides both the FreeBSD kernel and the FreeBSD operating system. It’s maintained as a single project. In other words, if you want to install FreeBSD, you just install FreeBSD. If you want to install Linux, you’ll need to choose among the many Linux distributions first.
Click to expand...

The third point is IPFW Vs Iptables which offers more protection ? I didn't find any clear answer on the web so I guess I will to do so pen testing to find that.
 
rootbert said:
Plus: i consider having a patched browser more important than having an ultra-secure OS
Click to expand...
I used OpenBSD in the past for 3-4 months. I too noticed this characteristic. I was able to update the OS but not the apps like Firefox. Can someone who uses OpenBSD or used OpenBSD in the past tell me the reason behind this approach ?

Under GhostBSD I run the following command and everything is updated :

Code: 
sudo pkg update -f
sudo pkg upgrade

By the way that was not the reason why I discontinued OpenBSD. I ran an update which messed up the GUI. When I booted the GUI (XFCE) won't load. So I moved to Linux.
 
tingo said:
Instead of fixing the OpenBSD problem? If you did switch right away, without trying to fix it, that doesn't show a lot of stamina and eagerness to learn. Just sayin' ...
Click to expand...
There's a reason for that. I have only 1 desktop at home. So it was not possible for me to do the necessary research about the problem. Frankly I just panicked. When I later got a functional desktop environment I found that it was not only me but some other people faced the same issue.

http://daemonforums.org/showthread.php?t=10812
 
fraxamo said:
I was referring to services like Sendmail that are enabled by default on FreeBSD, but not on OpenBSD. Apologies for not making that clearer.
Click to expand...
And those don't listen for incoming connections ?

The one service which is bound on all nics listens but doesn't respond. But that one also isn't enabled by default.
 
OpenBSD has some great features so is worth checking out. However it does lack a little in other areas. For example they do have a good memory error catching system but they also lack AddressSanitizer.

Likewise, they have a pretty secure by default system and a chroot'ed (and audited) web server built in. But they lack full fledged Jails.

Obviously I am not qualified to truely decide if AddressSanitizer and Jails are better or worse approaches to theirs.
rootbert said:
Plus: i consider having a patched browser more important than having an ultra-secure OS.
Click to expand...
It depends if those patches are security patches or feature patches. Many patches open up security holes by adding new and wonderful (mis-)features. Instead, OpenBSD has done some good work with pledge and unveil to reduce the browsers reach to the rest of the system. I think their browser is also fairly up-to-date so I am not sure which I would recommend.

Same with Iridium, it has privacy / self-auditing features within the codebase but it can lag behind on versions. Perhaps it is in the weird position of being more private but less secure.

We are always playing catchup when it comes to browsers so Jails or VMs is generally my recommended approach.
 
john_rambo said:
I used OpenBSD in the past for 3-4 months. I too noticed this characteristic. I was able to update the OS but not the apps like Firefox. Can someone who uses OpenBSD or used OpenBSD in the past tell me the reason behind this approach ?
Click to expand...
OpenBSD focuses on a stable and secure base system, as well as up-to-date server applications. Firefox is a purely graphical application for desktop end-users. It's just a very low priority for the OpenBSD project as a whole.

Running OpenBSD and complaining about Firefox is like working at NASA and complaining about the coffee. It's NASA, not Starbucks ;)
 
mtu said:
OpenBSD focuses on a stable and secure base system, as well as up-to-date server applications. Firefox is a purely graphical application for desktop end-users. It's just a very low priority for the OpenBSD project as a whole.

Running OpenBSD and complaining about Firefox is like working at NASA and complaining about the coffee. It's NASA, not Starbucks ;)
Click to expand...
I am not trying to argue. I am just trying to learn. Don't you think FreeBSD does the same thing ? I mean FreeBSD too focuses on a stable and secure base & both FreeBSD & OpenBSD are meant for servers. This is the reason why GhostBSD exists. But despite being a server OS FreeBSD offers updates for graphical apps like Firefox. As you know what the GhostBSD team has done is they took FreeBSD & did the neccesarry tweaking so that an average desktop user can take advantage of the excellent base of FreeBSD.
 
john_rambo said:
I am not trying to argue. I am just trying to learn. Don't you think FreeBSD does the same thing ? I mean FreeBSD too focuses on a stable and secure base & both FreeBSD & OpenBSD are meant for servers. This is the reason why GhostBSD exists. But despite being a server OS FreeBSD offers updates for graphical apps like Firefox. As you know what the GhostBSD team has done is they took FreeBSD & did the neccesarry tweaking so that an average desktop user can take advantage of the excellent base of FreeBSD.
Click to expand...
You're doing well with learning :) Discussions like these will bring you more understanding. (And to me, and almost everyone else. If someone says they already know everything, they are always wrong ;))

In comparison with OpenBSD and GhostBSD, I would says that FreeBSD in "in-between". There's more focus on the graphical desktop and end-user applications in FreeBSD, but not enough for most people who are used to other operating systems. Which is the reason why GhostBSD exists, so you're right about that.
 
john_rambo said:
I am not trying to argue. I am just trying to learn. Don't you think FreeBSD does the same thing ? I mean FreeBSD too focuses on a stable and secure base & both FreeBSD & OpenBSD are meant for servers. This is the reason why GhostBSD exists. But despite being a server OS FreeBSD offers updates for graphical apps like Firefox. As you know what the GhostBSD team has done is they took FreeBSD & did the neccesarry tweaking so that an average desktop user can take advantage of the excellent base of FreeBSD.
Click to expand...
I'm not sure where I read it, maybe on this very forum: "Security is more a feeling than a reality".

My point is: if you have one or several servers exposed on the internet with one or more services running on it, you have to be seriously concerned with security. And it's a full-time job.

If you speak about a user on a desktop station, you have just to avoid the most used OSes on the earth and security is done. From this point of view, FreeBSD (and its derivates) is ultra-secure. Of course, it remains some minor problems related to the browsers. And what you can only do is to update them as often as possible.
 
  • Like
Reactions: mtu
john_rambo said:
Can you please explain what you mean by that ? Honestly I am a bit scared after reading that.
The only reason I switched from Linux to GhostBSD is because I read BSD is more secure.
Click to expand...
The Linux kernel offers all kinds of bells and whistles regarding security - it offers the grsecurity/PaX patchset, apparmor/tomoyo/SELinux security framework, strong ASLR, trusted path execution, various stack protection functionalities, seccomp etc. and some distros offer additional userspace protections like position independent code/executables, pointer obfuscations, stack/heap protections and whatnot. However, all of those features introduce quite some more lines of code, and if you have a big chunk of sourcecode you have quite some bugs also in it. The Linux kernel consists of far more code than the clean kernel of FreeBSD, maybe even than the whole FreeBSD operating system. Also, just look at Ubuntu: there you have a kernel update roughly weekly, and those updates also introduce some regressions. To emphasize this argument, just look at the number of CVEs: FreeBSD CVEs vs Linux Kernel CVEs - here you see that the the Linux kernel alone (without the tools of a base system like Debian or Ubuntu) has far more vulnerabilities than the whole FreeBSD operating system. But also note: just taking the number of CVEs into account for measuring a systems security is not enough.

And while those security frameworks are nice and interesting and do make sense in some environments, just look around at some tutorials about RedHat/Centos: most of them suggest to turn off SELinux in the first paragraph, otherwise the stuff you are configuring won't work - so what's the use of a security framework if you have to turn it of for most of the software you are trying to run? Even if you choose to develop all those complex SELinux rulesets, it is a hell lot of work!

It is not that FreeBSD is lacking all of the features I mentioned above, it just offers not that many. FreeBSD is a quite secure system, and most importantly: security is regarded as important by it's developors. Thats why we have the intrustion detection system feature of the base system, pkg audit and vuxml, security announcements etc. I can tell you that having a patched version of Firefox/Chromium is very important for desktop systems, and the situation with Firefox is very good: we get new versions as fast as with the most secure Linux distributions out there. Furthermore, I have been tracking the security issues of the stacks my clients use (various: mysql, postgresql, nginx, apache, php, nodejs, python, dovecot, postfix, samba, haproxy etc.) on their servers since 2016 and I can tell you that for most of the software packages FreeBSD is among the fastest systems to patch them! FreeBSD offers nice tools for you to have a very secure workstation/server (have a look at jails, or capsicum if you are a developer). I have switched from OpenBSD to FreeBSD on my workstations and do consider them more secure now.

fraxamo said:
...

Security isn't a product, it's a process. And any operating system can be rendered insecure through bad practices. OpenBSD is deemed slightly more secure at install by turning off or not loading unneeded services to reduce the attack surface. FreeBSD doesn't do this by default and has been criticised for that here. However, if you follow best security practices then FreeBSD can be as secure as any other general purpose OS.
Click to expand...
! ^^ this cannot be emphasized enough. The process is far more important than what operating system you are using.
 
Emrion
Yes, I am using GhostBSD purely as a desktop OS. Nothing is exposed to the web. I ran a nmap scan just to make sure that no ports are open.
rootbert
I learned a lot.

Thanks to both.
 
john_rambo said:
both FreeBSD & OpenBSD are meant for servers
Click to expand...
Well, www.freebsd.org says:
FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.
Click to expand...
One could also say Linux is meant for servers because it is the most common OS on web servers, while its market share on desktop computers is low. Does this make sense? No. Both FreeBSD and Linux are full featured operating systems that can be used for almost whatever you want. They just happen to be more successful on the server market than the desktop, but things may change with time, especially with the bloated spyware, respectively the locked down toy Windows & MacOS have become.

Speaking about security by default, the FreeBSD installer does ask you whether you want to enable a few security hardening options.
docs.freebsd.org

Chapter 2. Installing FreeBSD

Guide about how to install FreeBSD, the minimum hardware requirements and supported architectures, how to create the installation media, etc
docs.freebsd.org docs.freebsd.org
I accepted them all so this should be the complete list of corresponding settings:

/etc/rc.conf
clear_tmp_enable="YES" syslogd_flags="-ss" sendmail_enable="NONE"

/boot/loader.conf
security.bsd.allow_destructive_dtrace=0 kern.geom.label.disk_ident.enable="0" kern.geom.label.gptid.enable="0"

/etc/sysctl.conf
security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 security.bsd.see_jail_proc=0 security.bsd.unprivileged_read_msgbuf=0 security.bsd.unprivileged_proc_debug=0 kern.randompid=1

/etc/ttys
Code: 
# name  getty                           type    status          comments
#
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none                            unknown off             insecure
 
You must log in or register to reply here.
Back
Top