-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document expected performance impact of standard settings we use #291
Comments
Some of the differences are explained in the hardening manual page ( I'm having some difficulties to extract all the differences between HBSD and stock FreeBSD (12.1), but these are the ones that stand our when comparing sysctl from both machines semi manually:
below values are not equal to the ones specified in
Our explicit changes made from within OPNsense can usually be found in system_advanced_sysctl.php, it could be an option to add these defaults as well to make these adjustments more explicit. |
The HardenedBSD wiki is mostly up-to-date: https://git-01.md.hardenedbsd.org/HardenedBSD/HardenedBSD/wiki I need to make a few more updates to changes in 13-CURRENT. |
The kernel-level changes that would impact performance the most would be the force-enabling of IBRS and PTI. IBRS especially can have a performance hit on network-heavy workloads. |
@lattera thanks, I'll try to add a document on our end within a couple of weeks combining the relevant information. |
Some sort of one-click template would be nice. I fear complaints about performance won’t go away when people have to flip a number of hardening options just to get a system they think they want/need/should have despite the clear path of HardenedBSD. |
@fichtner we could "institutionalize" it by adding an additional button on the tunables page ("less secure, more performance defaults"), which could be a next step. |
In OPNsense we have different security measures enabled by default, since most of them don't come free (in terms of performance), it would help to document which choices people can make.
Think of Meltdown/Spectre mitigations for example.
The text was updated successfully, but these errors were encountered: