FreeBSD Hardening Project


TrustedBSD Project Announced

On April 9, 2000, the TrustedBSD Project was announced, which replaces the FreeBSD hardening project, bringing in the POSIX.1e DAC, privilege and MAC improvements. As such, the FreeBSD Hardening Project is now defunct, please update your links.

POSIX.1e implementation underway!

March 3, 1999

An implementation of POSIX.1e for FreeBSD is underway.


The FreeBSD operating system provides an excellent high-performance platform for most network services. However, the traditional security approach taken in developing FreeBSD has been that of an open system -- in the large majority of cases, restricting access unnecessarily is not an advantage. While there are no known gaping holes in the FreeBSD security architecture, it is vulnerable if a root compromise occurs. Similarly, there are many services offered that leak information that, in a secure environment, might provide attackers with more information than they strictly require as users.

The goal of the FreeBSD Hardening Project is to develop a set of modifications to the base FreeBSD system that, when applied, allow for a far more secure environment. Services would, in general, be disabled until specifically enabled -- much like modern firewall policies. Currently, the medium of choice for delivering these changes is through a port. This port would be applied only to base systems, as modifications on top of base systems would not have been accounted for in the design of the port. This is not unlike the C2 certification applying to a specific system configuration.


The FreeBSD security framework suffers from a number of significant problems:


The implementation must provide:


Our goal is to provide two tools -- one that allows the determination of a system policy for security, and then other to implement that policy. In this manner, a centrally managed security policy could be developed, and then applied to a larger number of workstations or servers.

The initial implementation of a subset of the desired features is now under way, but is not yet available. This implementation will include a rudimentary policy manager to manage inetd.conf daemons and setuid/setgid binaries, along with information on the effects of disabling or limiting the scope of these features. Kernel modifications will not be available in this initial release.

A sample policy of one possible policy description language may be found here; a sample policy for a hardened system may be found here. This language definition is still in flux, and may change daily.


Not much is available for download at this point.


Discussion of the FreeBSD Hardening Project may be found on the freebsd-security mailing list.


Email Contact

Email Robert Watson for more information or to suggest changes to this page. The freebsd-security mailing list is our playground.

Last modified: Sat Nov 6 16:38:38 EST 1999