# hardening, current status of aslr/wx with firefox,ntpd



## Alain De Vos (Oct 9, 2022)

What are the secure values we can put for

```
kern.elf64.nxstack
kern.elf64.aslr.enable              
kern.elf64.aslr.stack              
kern.elf64.aslr.honor_sbrk         
kern.elf64.aslr.pie_enable          
kern.elf64.allow_wx           
security.bsd.stack_guard_page
```


----------



## Alexander88207 (Oct 9, 2022)

ASLR is enabled by default for a while now.


----------



## mer (Oct 9, 2022)

Alexander88207 said:


> ASLR is enabled by default for a while now.


Depends on what exactly you mean by "enabled".  Here are values from a stock 13.1-RELEASE-p2

```
kern.elf64.aslr.stack: 1
kern.elf64.aslr.honor_sbrk: 1
kern.elf64.aslr.pie_enable: 0
kern.elf64.aslr.enable: 0
vm.aslr_restarts: 0
kern.elf64.nxstack: 1
kern.elf64.allow_wx: 1
security.bsd.stack_guard_page: 1
```
Some aslr values are enabled, but not all.


----------



## _martin (Oct 9, 2022)

Alexander88207 said:


> ASLR is enabled by default for a while now.


Depends what you mean by a while. This wiki is a good start to check the current status.

Last sentence on that wiki page is important -- many tools (including ld) are still in development even now.


----------



## paulw (Oct 9, 2022)

```
paul@zoo-FreeBSD ~ $ uname -a
FreeBSD zoo-FreeBSD.home 13.1-RELEASE-p2 FreeBSD 13.1-RELEASE-p2 GENERIC amd64
```

I have these in /etc/sysctl.conf without apparent ill effects (e.g. openntpd, firefox and chromium all work):


```
kern.elf64.aslr.pie_enable=1
kern.elf64.aslr.enable=1
```
 resulting in:


```
paul@zoo-FreeBSD ~ $ sysctl -a | grep kern.elf64
kern.elf64.allow_wx: 1
kern.elf64.sigfastblock: 1
kern.elf64.aslr.stack: 1
kern.elf64.aslr.honor_sbrk: 1
kern.elf64.aslr.pie_enable: 1
kern.elf64.aslr.enable: 1
kern.elf64.pie_base: 16912384
kern.elf64.vdso: 1
kern.elf64.nxstack: 1
kern.elf64.fallback_brand: -1
```
 and


```
paul@zoo-FreeBSD ~ $ sysctl -a | grep aslr
kern.elf32.aslr.stack: 1
kern.elf32.aslr.honor_sbrk: 1
kern.elf32.aslr.pie_enable: 0
kern.elf32.aslr.enable: 0
kern.elf64.aslr.stack: 1
kern.elf64.aslr.honor_sbrk: 1
kern.elf64.aslr.pie_enable: 1
kern.elf64.aslr.enable: 1
vm.aslr_restarts: 396
paul@zoo-FreeBSD ~ $
```


----------



## Alain De Vos (Oct 10, 2022)

kern.elf64.allow_wx=0
And java/jdk fails to compile.


----------

