Guide to Unix/BSD/OpenBSD
This module contains information that is specific to OpenBSD.
Background
editOpenBSD calls itself the "multi-platform, ultra-secure operating system". The OpenBSD team believes in strong security and code correctness. The OpenBSD team has between six and twelve developers working on finding bugs and security holes in the system. OpenBSD also strives to be secure by default, meaning that the user does not have to be a security expert to secure the system. The OpenBSD project normally makes a new version every six months.
OpenBSD is known for having strict rules regarding bugs, such as an application not having a manual is considered a bug and therefore the application will not be included in the port (or package) tree. These rules are also included in the operating system. Should an application pose a security risk, OpenBSD will kill the process on the spot. If there is a bug, and it is announced on the mailing list, then the OpenBSD team will come out with a patch in a matter of days. OpenBSD has only had two remotely exploitable bugs (both were in SSH and patched soon thereafter), after a default install (with no additional services turned on) in over 10 years.
Notable Security Features
edit- strlcpy() and strlcat()
- Memory protection purify
- W^X
- .rodata segment
- Guard pages
- Randomized malloc()
- Randomized mmap()
- atexit() and stdio protection
- Privilege separation
- Privilege revocation
- Chroot jailing
- New uids
- ProPolice
Installation
editOpenBSD has an easy, although non-graphical, installer.
Customization
editYou can change the default configuration files and install additional packages, by creating your own custom ISO file.
As a firewall
editOpenBSD uses pf ("packet filter") as a firewall. Although the authors originally contributed pf to OpenBSD because it is free, other operating systems are including pf as well.
As a webserver
editAs of OpenBSD 5.6, OpenBSD ships with its own webserver, httpd(8). A hardened fork of Apache 1.3 (was in base prior to 5.6), upstream Apache 2.2, nginx (in base prior to upcoming 5.7) and other webservers are available from ports.
As a desktop
editDespite its reputation for being only for servers OpenBSD can also serve as a great workstation/desktop. OpenBSD uses pkg_add as their binary package management system. The pkg_add automatically resolves dependencies. If you get the packages from ftp, pkg_add is able to resolve all of the dependencies for you. Some of the desktop related packages in the binary package system include: KDE (3.5), Xfce, Gnome, fluxbox, blackbox, and e16. Many other packages are available through the port system which also resolves and compiles the dependencies for you.
References
edit- "OpenBSD Security." 31 Oct. 2008. OpenBSD. 31 Oct. 2008 <http://www.openbsd.org/security.html>.