How to add secadm rules

While it is documented in the hbsd-handbook, I figured it would help someone trying to apply secadm rules to hardened bsd.

When to use secadm

Things like node, java, etc. require certain features to be disabled. The process for enabling these is simple. If you get a 'segfault' when starting a program you probably need to add an exception to secadm.

How to enable secadm

Two things need to happen

pkg install secadm kmod-secadm
kldload secadm

Testing to make sure program works

Before comitting final information to rules file, it is helpful to test. Standard location for rules is /usr/local/etc/secadm.rules. Rule files are found at Github

Rules are written in JSON format, and are typically combined into a single file.

Once rules are in appropriate location, simply issue:

secadm load /usr/local/etc/secadm.rules

Then run your program and see if things are O.K. If not, modify, rinse, and repeat. Once program works, its time for the final step:

 sysrc secadm_enable=YES
 service secadm start

See hardenedbsd manual for more information: hardened bsd manual pages

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

How to add secadm rules

When to use secadm

How to enable secadm

Testing to make sure program works

Uh oh!

Clone this wiki locally