Ghostbsd Security - First Impressions, Part 1

NOTE: This is not the review of GhostBSD, this is my first set of first impressions.

Started messing around with GhostBSD for my security related blog post, and the first search result I got for “GhostBSD security” on my search engine (which for now is Brave) is an article titled Security, intended to “collect information to harden your system.”

However, one thing the recommended test suite (Lynis) can’t really detect is the packages in Ports that are unmaintained. Firstly, the Ports are a collection of unofficial packages for FreeBSD, maintained by volunteers, similar to the AUR. As such, not all packages are maintained; installing Qutebrowser from the ports (through pkg, the official package manager) installed two libraries that were unmaintained, alsa-lib and alsa-plugins. It also mentions the port is deprecated, and uses Python 2.7 (I don’t know why, Qutebrowser uses Python 3.9).

I appreciate the package manager being very forward with this information; I am curious to see how the reporting system works in the Ports if a maintainer becomes inactive, or if it is entirely voluntary, and how this compares to the aforementioned AUR (I haven’t researched it there, either). The version of Qutebrowser installed is one point release behind the latest release (FreeBSD ports is on v2.5.1, upstream is v2.5.2 as of June 22, 2022).

The Port also uses QtWebEngine 5.15.2, which is based on Chromium 83.0.4103.122. This is the last I will mention this port, however, because it is by no means mandatory, or included in the base install. I just bring it up in a point of reference that, just like with the AUR, the packages are not official, nor are they universally up to date; however, unlike the AUR (and more similar to PPA’s), they are available to be installed with the official package manager, like using an AUR helper on Arch Linux.

Back to the security page.

The version of Lynis when I tested this was also one version behind (3.0.7 instead of 3.0.8), with 3.0.7 having been released on January 18, 2022, and 3.0.8 on May 17, 2022. Lynis 3.0.7 gave a hardening index of 65 after I made a couple changes for the sake of the VM (disable moused to fix a mouse issue (which it did not, I had to use xmodmap), installed a better terminal and wm (st and awesome, as well as packages for my config), as well as installing guest additions).

It detected a firewall (which is correct, IPFW is autostarted and configured by the installer, although it’s mostly just protecting loopback traffic). Most of the test either had green or white text, with some yellow and (at the very bottom) a few red. Overall, it seems pretty good so far on initial inspection.