You may have heard of something called “TrustedBSD” in your discussions of FreeBSD security features. But what is it? A part of the operating system? An application? Something new? Actually, TrustedBSD is a project, started in 2000 with the goal of providing a set of trusted operating extensions for FreeBSD.
It consists of a set of kernel and user-land extensions targeting the evaluation criteria from Common Criteria for Information Technology Security Evaluation and the Orange Book (a Department of Defense Document that sets standards for community security). Trusted operating systems have requirements above and beyond those of normal operating systems, including that of extensive documentation.
Many features of TrustedBSD that have matured over the past eight years have already made their way into the operating system, as well as those of others (for example, the TrustedBSD MAC framework was used in Apple OS X). Some of the key features being worked on are: access control lists, mandatory access controls, security event auditing, extended file system attributes, the NSA’s FLASK/TE implementation from SELinux to FreeBSD, as well as the development of OpenBSD.
These features should improve the overall security and usability of FreeBSD. Improvements to system privilege will reduce the risk associated with common system management functions. Access control will overall be more discretionary and fine-grained. Also in the works is event auditing support–a system to monitor security events and notify administrators in the case of irregularities.
The project is still under development. For access to documentation as well as some code, visit www.trustedbsd.com.