Subject: Preventative security features?
To: None <tech-security@netbsd.org>
From: Dmitri Nikulin <setagllib@optusnet.com.au>
List: tech-security
Date: 11/11/2004 23:41:06
Is there any reason NetBSD doesn't implement many preventative security
features? Even FreeBSD has quite a lot imported/cloned from OpenBSD (I'm
assuming so anyway, since that's where they'd come from), but NetBSD
doesn't seem to have many, even those that could be implemented as
2/3-liners portably. NetBSD has the passive security that comes from
good code, but a little extra can't hurt.
If nobody else wants to do it, I could try my hand at porting some
features, or at least reproducing. Browsing over FreeBSD 5.3-STABLE
source, I'm seeing things like this...
728 if (blackhole) {
729 switch (blackhole) {
730 case 1:
731 if (thflags & TH_SYN)
732 goto drop;
733 break;
734 case 2:
735 goto drop;
736 default:
737 goto drop;
738 }
...that deserve http://thedailywtf.com/ inclusion. Clearly re-writes are
the way here.
Is there a reason these things (blackholes, randomization of kernel
data, etc) aren't done in NetBSD? If not, does anybody object to work
done to bring them in to -current? I'd certainly like features like
that, even if I have to code them myself.
At the very least, the ability to run nmap against a NetBSD machine and
have it be completely unknown, even with plenty of open and closed ports
available. Free and OpenBSD can do this just with a few sysctl runs,
Linux stands no chance, but NetBSD should be up with its brothers and
not alongside Linux.
So what does everyone think? If there are no objections, I can start
toying about with -current to see if it's practical. I have i386 and
sgimips to test on, but it shouldn't end up being arch dependent. This
would certainly give admins even more reason to run NetBSD on hardened
servers, besides the cleanliness and stability.