This #FreeBSD bug highlights a strength of one of the features that makes #HardenedBSD attractive: optional blocking of loading of kernel modules.

HardenedBSD provides a sysctl node: hardening.pax.kmod_load_disable. By default, it is set to 0, permitting loading of kernel modules. When set to 1, loading kernel modules is prohibited. When set to 2, loading kernel modules is prohibited and a reboot is required to permit loading kernel modules once again.

HardenedBSD also has a notion of "insecure/untrusted" kernel modules. Some kernel modules in base, most notably the #Linux syscall emulation layer known as the linuxulator, are explicitly marked as untrustworthy. Users wishing to use those kernel modules must explicitly tag them as trusted (hbsdcontrol pax disable insecure_kmod /path/to/kernel/module.ko). Only then will the kernel module be permitted to load (the hardening.pax.kmod_load_disable sysctl node does need to be set to 0).

These two features can help protect users against situations where kernel modules get autoloaded, like with puppet, ifconfig, zfs, and other tools.

#infosec #FatGid

This kernel vulnerability in #FreeBSD is fully mitigated in #HardenedBSD by default: https://www.freebsd.org/security/advisories/FreeBSD-SA-26:21.ptrace.asc

HardenedBSD does not permit ptrace(PT_REMOTE_SC) by default. In fact, multiple sysctl nodes must be toggled to even support ptrace. We have a separate sysctl node for performing syscalls over the ptrace boundary (hardening.prohibit_ptrace_syscall, default 1).

The #HardenedBSD wiki is now on #Radicle: https://radicle.network/nodes/rad.hardenedbsd.org/rad:z4Aucnb2nozutuek6o8PC9YfaBeTm/tree/Home.md

RID: rad:z4Aucnb2nozutuek6o8PC9YfaBeTm