Shawn Webb8h ago

@emaste I apologize if I'm' sending this question to the wrong person. If I did, please let me know who I should redirect to.

I recently wholesale replaced the README.md file with the main #HardenedBSD documentation. Previously, README.md was left untouched.

I just now realized I might have removed some language that might be legally required regarding #FreeBSD. For example, licensing and copyright information.

I would be happy to re-add that language, or anything else legally required, on the main README.md file--whet gets displayed first in a web browser: https://radicle.network/nodes/rad.hardenedbsd.org/rad:z4Aucnb2nozutuek6o8PC9YfaBeTm

(That is the link to our lighter-weight documentation repo. The README.md in our src tree comes from that.)

Would you happen to know, or could direct me to someone who would, whether I need to re-add any language?

(Public visibility on this question to help maintain transparency around a potentially sensitive subject. I realize most folks would likely rather send an email.)

Radicle Explorer

Explore the Radicle network

Shawn Webb2d ago
I'm thinking of running the Cross-DSO CFI feature branch on my main #HardenedBSD dell laptop again, especially now that #llvm has been updated to 21 in base.
Shawn Webb3d ago

One wonderful thing about migrating from #GitLab to #Radicle is that we got rid of our one and only #Linux VM. The #HardenedBSD dev/build infrastructure now runs 100% on HardenedBSD (rather than 99% πŸ™‚).

Edit[0]: Clarified that it's the dev/build infrastructure that's 100% HardenedBSD. We do have one off-site backup system (maintained by a trusted third party) running OpenBSD.

Shawn Webb4d ago
I've now published the Cross-DSO CFI #HardenedBSD feature branch on #Radicle : https://radicle.network/nodes/rad.hardenedbsd.org/rad:z2HLHXgL1xevBNQsf8BmQW7MpJmtm/tree/hardened%2Fcurrent%2Fcross-dso-cfi
Radicle Explorer

Explore the Radicle network

Shawn Webb5d ago

This #FreeBSD bug highlights a strength of one of the features that makes #HardenedBSD attractive: optional blocking of loading of kernel modules.

HardenedBSD provides a sysctl node: hardening.pax.kmod_load_disable. By default, it is set to 0, permitting loading of kernel modules. When set to 1, loading kernel modules is prohibited. When set to 2, loading kernel modules is prohibited and a reboot is required to permit loading kernel modules once again.

HardenedBSD also has a notion of "insecure/untrusted" kernel modules. Some kernel modules in base, most notably the #Linux syscall emulation layer known as the linuxulator, are explicitly marked as untrustworthy. Users wishing to use those kernel modules must explicitly tag them as trusted (hbsdcontrol pax disable insecure_kmod /path/to/kernel/module.ko). Only then will the kernel module be permitted to load (the hardening.pax.kmod_load_disable sysctl node does need to be set to 0).

These two features can help protect users against situations where kernel modules get autoloaded, like with puppet, ifconfig, zfs, and other tools.

#infosec #FatGid

295485 – need a way to block zfs.ko from being autoloaded by tools like puppet and facter (FatGID Vuln / CVE-2026-45250)

OdicforceSounds5d ago
https://blog.odicforcesounds.com/hardenBSD.html
#BSD #Review #HardenedBSD #Post #Blog
HardenedBSD Review

Like FreeBSD is

Neustradamus :xmpp: :linux:6d ago
#HardenedBSD 15 build 16 has been released ( #FreeBSD / #386BSD / #BSD / #Unix ) https://hardenedbsd.org/
HardenedBSD

OdicforceSounds6d ago
https://blog.odicforcesounds.com/hardenerBSD.html #Blog #Post #Security #hardenedBSD #BSD #Defensive #Exploit #Review
HardenedBSD

Suspicious Configurations on their site

Shawn WebbMay 24
Current status: Integrating with our build scripts an export of the #HardenedBSD src and ports repos from #Radicle storage.
Shawn WebbMay 23
Migrated the #Reticulum #HardenedBSD port to #Radicle : https://radicle.network/nodes/rad.hardenedbsd.org/rad:z2XrdvALg77ycnuZRXgScb27yb3wM/commits/00cbdd4544225d1bad4ed98e1c7c460b1c94613e
Radicle Explorer

Explore the Radicle network