views:

493

answers:

3

I am aware of the Hardened Linux from Scratch project which is a project that provides you with step-by-step instructions for building your own customized and hardened Linux system entirely from source. I would like to know what is the equivalent in BSD?

+1  A: 

OpenBSD is hardened "by default" from the installation. Only the admin opens it up... component by component.

[UPDATE] while I have not read the document for hardening linux... some of the same things might apply... for example they both use OpenSSH so the strategies would be the same. So where there is module overlap the same would apply.

Richard
+1  A: 

As Richard said OpenBSD is definitely worth a go, it is my #1 choice for everything that is dedicated for firewalls and gateways. For other services I tend to stick to FreeBSD although there is no obvious reason for it just a personal preference.

But I would like to point out that the from 'scratch part' concept if you want to do more secure hosting of a service can be much better done using Jails. In essence you create a limited FreeBSD environment on an a full FreeBSD install. In that limited environment you only copy/link those binaries and files that the service requires to run.

Because the hosted service has no access to any other files/binaries, all the potential security flaws in those things aren't open to exploit. If by chance your application gets 'rooted' it will not go beyond the boundaries of the jail.

See it like a sandbox on steroids with neglectable performance penalties.

Martin P. Hellwig
A: 

You don't really do bsd 'from scratch'. All of the major projects come with a complete system in a single source repository so you're not grabbing a kernel from here, binutils and compiler from over there and c libraries and standard utilities from somewhere else and X from yet another place.

They are generally easier to get all the source for and to rebuild the entire system than your average linux distro, but that's not really customizing anything.

You could try to do something nuts, like perhaps trying to get the OpenBSD userland to run on a NetBSD kernel with FreeBSD ports, but you'd be on your own and it certainly wouldn't be 'hardened'.

Jeremy Huiskamp