Guide to Unix/BSD/OpenBSD

This module contains information that is specific to OpenBSD.

Background

OpenBSD calls itself the "multi-platform, ultra-secure operating system". The OpenBSD team believes in strong security and code correctness. The OpenBSD team has between six and twelve developers working on finding bugs and security holes in the system. OpenBSD also strives to be secure by default, meaning that the user does not have to be a security expert to secure the system. The OpenBSD project normally makes a new version every six months.

OpenBSD is known for having strict rules regarding bugs. Such as an application, not having a manual is considered a bug and therefore the application will not be included in the port (or package) tree. These rules are also included in the operating system. Should an application pose a security risk OpenBSD will kill the process on the spot. If there is a bug, and it is announced on the mailing list, then the OpenBSD team will come out with a patch in a matter of days. OpenBSD has only had two remotely exploitable bugs (both were in ssh and soon there afterwards patched), after a default install (with no additional services turned on) in over 10 years.

Notable Security Features

strlcpy() and strlcat()
Memory protection purify

W^X
.rodata segment
Guard pages
Randomized malloc()
Randomized mmap()
atexit() and stdio protection

Privilege separation
Privilege revocation
Chroot jailing
New uids
ProPolice

Installation

OpenBSD has a easy although non-graphical installer.

Customization

You can change the default configuration files and install additional packages, by creating your own custom iso file.

As a firewall

OpenBSD uses pf ("packet filter") as a firewall. Though the authors originally contributed pf to OpenBSD, because it is free, other operating systems are including pf.

As a webserver

As of OpenBSD 5.6, OpenBSD ships with its own webserver, httpd(8). A hardened fork of Apache 1.3 (was in base prior to 5.6), upstream Apache 2.2, nginx (in base prior to upcoming 5.7) and other webservers are available from ports.

As a desktop

Despite its reputation for being only for servers OpenBSD can also serve as a great workstation/desktop. OpenBSD uses pkg_add as their binary package management system. The pkg_add automatically resolves dependencies. If you get the packages from ftp, pkg_add is able to resolve all of the dependencies for you. Some of the desktop related packages in the binary package system include: KDE (3.5), Xfce, Gnome, fluxbox, blackbox, and e16. Many other packages are available through the port system which also resolves and compiles the dependencies for you.

References

"OpenBSD Security." 31 Oct. 2008. OpenBSD. 31 Oct. 2008 <http://www.openbsd.org/security.html>.

This article is issued from Wikibooks. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.