Subject: Re: NetBSD being used as the core for secure OS distro
To: Shane M. Coughlan <>
From: Charles Blundell <>
List: netbsd-users
Date: 09/25/2003 15:11:52
on Thu, Sep 25, 2003 at 11:38:36AM +0100, Shane M. Coughlan wrote:
> The end result will ideally be a BSD which has a controlled amount of
> packages on it.  One of the first stages of the security kit will be the
> creation of a file-checker to verify each of the applications and libraries
> on the system when it boots.  Another will be the implimentation of
> automatic file-encryption in certain areas of the system.  From a
> clean-install security measures will be built to create a system that is
> relatively secure.  I am examining TCFS (transparent cryptographic file
> system) as a possible way of making sure user-files are safe, and I'm
> looking with interest at Reiser4, though I am aware that it's a LONG way
> from finished.

Three things you may wish to look at in NetBSD-current:

 * verifiedexec - upload fingerprint of binaries that may be executed into
 the kernel. binaries whose fingerprints do not match cannot be executed.

 * cgd - disk-based encryption

  (if you want "users" to encrypt individual files then you probably
   don't gain much in using tcfs instead of gpg.)

 * systrace - security policies for individual processes.

Also, -current has a non-executable stack, and other regions, depending
on what architecture you are using.

> Now, my question...I was drawn to NetBSD because of its small size (not much
> package litter in basic install...wonderful) and its portability.  However,
> I notice the consensus online appears to be that NetBSD is mainly for
> academic use, and that FreeBSD is better for commercial use, especially
> things like servers.

"what consensus?"