> For the complete documentation index, see [llms.txt](https://book.bsdcn.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.bsdcn.org/ask/flat/chapter-29-security/di-29.1-jie-xin-xi-an-quan-gai-lun.md).
# 29.1 Overview of Information Security
Information security refers to the protection of information systems (including hardware, software, data, personnel, physical environments, and their infrastructure) from accidental or malicious destruction, alteration, and disclosure, ensuring the confidentiality, integrity, and availability of information, reliable and normal system operation, and continuous information services.
Security is a shared responsibility among all users. Any weakness in a system may allow intruders to obtain critical information and cause damage to the entire network. One of the core principles of information security is the CIA triad, namely the Confidentiality, Integrity, and Availability of information systems. The concept of the CIA triad can be traced back to computer security research in the mid-to-late 1970s, and was later formally adopted and promoted by the National Institute of Standards and Technology (NIST) within its security standards framework.
Clients and users expect their data to be protected, making the CIA triad the cornerstone of computer security. For example, clients expect their credit card information to be securely stored (confidentiality), their orders not to be tampered with without authorization (integrity), and their order information to be accessible at all times (availability).
To safeguard CIA security, security experts employ the Defense in Depth strategy. The philosophy of this strategy is to implement security measures at multiple layers, preventing the failure of a single layer from causing the collapse of the entire defense system. For example, a system administrator cannot consider a network or system secure simply by enabling a firewall; they must also audit accounts, check the integrity of binary files, and ensure that no malicious tools are installed on the system. To implement an effective security strategy, one must understand potential threats and their defense methods.
Threats in computer security include not only remote attackers attempting unauthorized system access, but also insiders, malware, unauthorized network devices, natural disasters, security vulnerabilities, and even threats from competitors.
Systems and networks may be subject to unauthorized access, which may occur accidentally, be carried out by remote attackers, or even originate from corporate espionage or former employees. Users should be prepared for incident response when security events occur, truthfully report the situation, and report relevant incidents to the security team. As an administrator, understanding threats and being prepared to respond is equally important.
> **Tip**
>
> There are currently hundreds of standard practices for system and network security protection. The question is not which best practice, industry standard, or legal requirement to follow, but rather one should always hold the belief: "There is no absolutely secure operating system." See also the 2014 German film [*Who Am I – Kein System ist sicher*](https://www.imdb.com/title/tt3042408/) (*Who Am I: No System is Safe*).
As a FreeBSD user, understanding how to defend against attacks and intrusions is crucial.
The FreeBSD operating system includes built-in support for security event auditing. Event auditing supports reliable, fine-grained, and configurable logging that covers various security-related system events, including logins, configuration changes, and file and network access. These log records are highly valuable in real-time system monitoring, intrusion detection, and post-incident analysis.
FreeBSD supports security extensions based on the POSIX®.1e draft. These security mechanisms include file system Access Control Lists (ACL) and Mandatory Access Control (MAC). MAC allows loading access control modules to enforce security policies. Some modules protect narrow subsets of the system, hardening specific services, while others provide comprehensive label security across all subjects and objects. The mandatory portion of the definition means that the enforcement of control is accomplished jointly by the administrator and the operating system. This contrasts with the default security mechanism — Discretionary Access Control (DAC), which leaves control to the discretion of users.
## FreeBSD Security Design
* Leidinger blog: Leidinger, A. FreeBSD Security Hardening with Compiler Options\[EB/OL]. (2025-05-24)\[2026-03-26]. . The FreeBSD Project has hardened some Ports. See also Bug 284270: FreeBSD Project. Bug 284270 - Add new features fortify, stack\_autoinit and zeroregs\[EB/OL]. \[2026-03-26]. .
* Fewer disclosed security vulnerabilities than other mainstream operating systems (although this may be due to the objective factor of a smaller sample size). As of September 2025, the number of CVE vulnerabilities in the FreeBSD base system (userland and kernel) is approximately one-twentieth that of the Linux kernel (according to statistics from CVEdetails.com. CVE security vulnerability database. Security vulnerabilities, exploits, references and more\[EB/OL]. \[2026-03-26]. ), while the Linux kernel has far more CVEs than Windows (the two are not comparable on the same dimension: the Linux kernel is only the kernel, whereas Windows typically refers to all components). During the same period, OpenBSD's CVE vulnerability count was approximately 40% of FreeBSD's; different projects have significantly different CVE assignment policies and reporting cultures, and CVE counts cannot be directly equated with an absolute comparison of security.
* Ability to avoid single points of failure in products and architectures, improving overall system availability and resilience.
* Security event auditing.
* Robert Watson, Stacey Son. TrustedBSD - FreeBSD Wiki\[EB/OL]. (2022-09-15)\[2026-03-26]. . FreeBSD integrates standard UNIX DAC, ACL, and the TrustedBSD MAC security framework (security extensions based on the POSIX®.1e draft)
* Integrated W^X policy, see D28050 code review: kib. Implement enforcing write XOR execute mapping policy\[EB/OL]. (2021-01-08)\[2026-03-26]. .
* PIE and ASLR are enabled by default for both kernel and userland. ASLR was initially proposed in the D27666 code review (2020-12-18), and PIE default enablement was implemented by D28328. After both were merged into HEAD, ASLR has been enabled by default for 64-bit executables since FreeBSD 13.2-RELEASE (April 11, 2023). See D27666 code review:mw. Enable ASLR by default for 64-bit executables\[EB/OL]. (2020-12-18)\[2026-04-17]. , D28328 code review:mw. Enable PIE by default on 64-bit architectures\[EB/OL]. \[2026-04-17]. ; FreeBSD 13.2-RELEASE announcement:FreeBSD Project. FreeBSD 13.2-RELEASE Announcement\[EB/OL]. (2023-04-11)\[2026-04-17]. .
* FreeBSD has completed the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF) self-attestation. See FreeBSD Foundation SSDF attestation news: FreeBSD Foundation. FreeBSD Foundation Announces SSDF Attestation\[EB/OL]. (2023-11-03)\[2026-03-26]. .
* Released the FreeBSD 14 CIS Benchmark. See FreeBSD Foundation CIS benchmark blog: FreeBSD Foundation. New CIS® FreeBSD 14 Benchmark: Secure Your Systems with Expert-Guided Best Practices\[EB/OL]. (2024-08-19)\[2026-03-26]. .
* Implementing zero-trust builds for FreeBSD, see Sovereign Tech Agency sponsorship.
* Full-disk encryption solution based on the GEOM framework (including ZFS and swap).
* Improving Software Bill of Materials (SBOM), see Sovereign Tech Agency sponsorship.
* Capsicum framework, with capability-based hardening already applied to many tools in the base system. See Capsicum Wiki: FreeBSD Project. Capsicum - FreeBSD Wiki\[EB/OL]. \[2026-03-26]. .
* The FreeBSD kernel offers five different security levels (securelevel) that can be freely selected. See security manual page: FreeBSD Project. security - introduction to security under FreeBSD\[EB/OL]. \[2026-03-26]. . Also see mitigations manual page: FreeBSD Project. mitigations - FreeBSD Security Vulnerability Mitigations\[EB/OL]. \[2026-03-26]. . The manual page also describes several security vulnerability mitigation measures on FreeBSD.
## Exercises
1. Analyze the reasons why people tend to have a natural sense of trust in software distributed from "official websites" (for example, the popular saying "only download software from official websites"), and evaluate whether this trust is correct and reliable. (See DMkiIIer. Warning: HWMonitor 1.63 download on the official site may contain malware? \[EB/OL]. r/pcmasterrace, Reddit, (2026-04-10)\[2026-04-11]. .)
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://book.bsdcn.org/ask/flat/chapter-29-security/di-29.1-jie-xin-xi-an-quan-gai-lun.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.