title: "System Hardening" description: "Production hardening checklist drawn from the GuardBSD audit report."

System Hardening

Based on the GuardBSD Winter Saga v1.0.0 audit, these mitigations are active and should remain enforced.

Exploit Mitigations

| Mitigation | Status | Overhead | Effectiveness | | --------------------- | ------ | ------------ | ------------- | | Stack Canaries | ✅ | ~2 cycles | High | | ASLR (16-bit) | ✅ | one-time | Medium | | W^X Enforcement | ✅ | ~3 cycles | High | | Pointer Validation | ✅ | ~5 cycles | High | | Secure Memory Zeroing | ✅ | ~1 cycle/byte| Medium | | Rate Limiting | ✅ | ~10 cycles | Medium |

Total overhead: <5% system-wide.

Capability System Essentials

• Unforgeable, transferable, revocable, and attenuable tokens
• Cryptographic sealing with generation-based revocation
• No ambient authority; principle of least privilege

# Audit running services and lock down SSH keys
service list
chmod 600 /etc/ssh/ssh_host_*

Operational Hardening

• Keep debug symbols off production binaries (strip uk_ipc, etc.)
• Maintain serial logging for forensics
• Enforce firewall defaults and disable unused services
• Snapshot before upgrades; test rollback paths