Subject: Re: NetBSD being used as the core for secure OS distro
To: Shane M. Coughlan <email@example.com>
From: Charles Blundell <firstname.lastname@example.org>
Date: 09/25/2003 15:11:52
on Thu, Sep 25, 2003 at 11:38:36AM +0100, Shane M. Coughlan wrote:
> The end result will ideally be a BSD which has a controlled amount of
> packages on it. One of the first stages of the security kit will be the
> creation of a file-checker to verify each of the applications and libraries
> on the system when it boots. Another will be the implimentation of
> automatic file-encryption in certain areas of the system. From a
> clean-install security measures will be built to create a system that is
> relatively secure. I am examining TCFS (transparent cryptographic file
> system) as a possible way of making sure user-files are safe, and I'm
> looking with interest at Reiser4, though I am aware that it's a LONG way
> from finished.
Three things you may wish to look at in NetBSD-current:
* verifiedexec - upload fingerprint of binaries that may be executed into
the kernel. binaries whose fingerprints do not match cannot be executed.
* cgd - disk-based encryption
(if you want "users" to encrypt individual files then you probably
don't gain much in using tcfs instead of gpg.)
* systrace - security policies for individual processes.
Also, -current has a non-executable stack, and other regions, depending
on what architecture you are using.
> Now, my question...I was drawn to NetBSD because of its small size (not much
> package litter in basic install...wonderful) and its portability. However,
> I notice the consensus online appears to be that NetBSD is mainly for
> academic use, and that FreeBSD is better for commercial use, especially
> things like servers.