Subject: Re: NetBSD being used as the core for secure OS distro
To: Shane M. Coughlan <shane_coughlan@hotmail.com>
From: Charles Blundell <cb@kittenz.org>
List: netbsd-users
Date: 09/25/2003 15:11:52
on Thu, Sep 25, 2003 at 11:38:36AM +0100, Shane M. Coughlan wrote:
> The end result will ideally be a BSD which has a controlled amount of
> packages on it.  One of the first stages of the security kit will be the
> creation of a file-checker to verify each of the applications and libraries
> on the system when it boots.  Another will be the implimentation of
> automatic file-encryption in certain areas of the system.  From a
> clean-install security measures will be built to create a system that is
> relatively secure.  I am examining TCFS (transparent cryptographic file
> system) as a possible way of making sure user-files are safe, and I'm
> looking with interest at Reiser4, though I am aware that it's a LONG way
> from finished.

Three things you may wish to look at in NetBSD-current:

 * verifiedexec - upload fingerprint of binaries that may be executed into
 the kernel. binaries whose fingerprints do not match cannot be executed.

   http://netbsd.gw.com/cgi-bin/man.cgi?veriexecctl++NetBSD-current
   http://netbsd.gw.com/cgi-bin/man.cgi?verifiedexec++NetBSD-current

 * cgd - disk-based encryption

   http://netbsd.gw.com/cgi-bin/man.cgi?cgdconfig++NetBSD-current
   http://netbsd.gw.com/cgi-bin/man.cgi?cgd++NetBSD-current

  (if you want "users" to encrypt individual files then you probably
   don't gain much in using tcfs instead of gpg.)

 * systrace - security policies for individual processes.

   http://netbsd.gw.com/cgi-bin/man.cgi?systrace++NetBSD-current
   http://netbsd.gw.com/cgi-bin/man.cgi?systrace+4+NetBSD-current

Also, -current has a non-executable stack, and other regions, depending
on what architecture you are using.

> Now, my question...I was drawn to NetBSD because of its small size (not much
> package litter in basic install...wonderful) and its portability.  However,
> I notice the consensus online appears to be that NetBSD is mainly for
> academic use, and that FreeBSD is better for commercial use, especially
> things like servers.

http://www.NetBSD.org/gallery/sites.html

"what consensus?"