OpenBSD is fantastic
Published on 2018-03-13. Modified on 2020-11-20.
I have been using OpenBSD, a FREE, multi-platform 4.4BSD-based Unix-like operating system, both professionally and privately since about 2004, and today I'm going to share some of my experiences.
As I was gathering my thoughts for this article I realized that it is actually quite difficult to give due credit to the developers of OpenBSD. This is because OpenBSD is quite unique and it's rather amazing, in my humble opinion. Much of its "splendor" hides in the design and specific coding style of the developers, and as such it isn't visible to the average user. You need to understand some of what goes on under the hood to really appreciate OpenBSD!
OpenBSD is easy and quick to install and you will be surprised at how simple and extremely well designed the system is. A lot of work goes into making everything right from the beginning, and the project is following the Unix philosophy to the letter.
OpenBSD comes with many applications in the base system ready to run, however nothing except for security features is enabled by default, you have to enable the services you need. Every configuration file follows the same style of syntax, a very human-readable syntax, and it's thus very easy to understand and setup. Every single option is well documented in the man pages and the OpenBSD project considers lacking documentation "a bug". This is something that every professional programmer should adopt.
Lacking documentation, or incorrect documentation, is just as dangerous to a running system with a security bug. The reason for that is that security issues sometimes arise from misconfiguration. If you don't know how to setup your system, how can you be sure that it isn't running in a manner that makes it easy for an attacker to compromise your system? A lot of spam on the Internet origins from misconfigured mail servers that has been compromised by attackers.
Every single line of code in the operating system kernel and base system of OpenBSD gets security audited and scrutinized by the programmers, and everything is coded following a strict set of guidelines and principles that tries to eliminate all the typical coding mistakes, as many security bugs are actually coding mistakes made by programmers.
But that's not all. Another thing that makes OpenBSD amazing is all the security mitigation work that goes into the development of the operating system and the OpenBSD developers are doing some fantastic frontier engineering in this area!
Security mitigation are techniques that help prevent attackers from running malicious code on the operating system or take advantage of security bugs or weaknesses in software.
If you're using a piece of software, say like a browser, and the browser has a security bug that is exploitable, then it is possible for an attacker to possibly gain access to your computer. How much damage the attacker can do on your computer depends on the underlying security of the operating system.
OpenBSD has a number of mitigation techniques build into the kernel and base system that makes life really difficult for an attacker. This means that it becomes much more difficult for an attacker to gain unauthorized access to your system in the first place, using the normal exploitation techniques which work on many other operating system like Microsoft Windows, Linux, Mac OS, and others. It also means that if an attacker should gain access to your system despite these mitigations, the amount of damage the attacker can do is very limited and constricted.
Here is a list of some of the OpenBSD security innovations build into the operating system and enabled by default.
- Enforced W^X in the kernel on i386/amd64/sparc64.
- Enforced W^X userland as of version 6.0.
- SROP (sigreturn(2) oriented programming) mitigation by default.
- Static-PIE for self-relocating static binaries.
- Stack protector.
- Privilege dropping and separation for most of the base system as a matter of policy, new stuff doesn't get enabled without it.
- bcrypt password hashes only, with an automatically selected rounds value based on system performance.
- PIE by default for base, packages, and ports.
- C shared library re-ordering at boot time, i.e: libc.so is re-linked at boot time so objects are randomly ordered.
- System-wide sandboxing (pledge(2)) of a large percentage of the userland, incl. privileged part of the X server, most networking facing daemons included.
- arc4random(3), which backs rand(3), random(3), and drand48(3), with an audited base/ports tree. Software must opt-in to deterministic broken POSIX behavior.
The list goes on at OpenBSD Innovations
Several of these innovations has been adopted and implemented by other operating systems thanks to the work done by the OpenBSD developers.
OpenBSD is a robust and reliable operating system that you can run with minimal interaction once it is setup. It is actually the only operating system that truly enables you to sleep at night in case you're running any system critical software.
OpenBSD maintains a portable version of many parts of the base system, including:
- LibreSSL, a free implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, forked from the OpenSSL 1.0.1g branch
- OpenBGPD, a free implementation of the Border Gateway Protocol 4 (BGP-4)
- OpenOSPFD, a free implementation of the Open Shortest Path First (OSPF) routing protocol
- OpenNTPD, a simple alternative to ntp.org's Network Time Protocol (NTP) daemon
- OpenSMTPD, a free Simple Mail Transfer Protocol (SMTP) daemon with IPv4/IPv6, PAM, Maildir and virtual domains support
- httpd, an HTTP server first included in the 5.6 release
- OpenSSH, a free implementation of the Secure Shell (SSH) protocol
- OpenIKED, a free implementation of the Internet Key Exchange (IKEv2) protocol
- Common Address Redundancy Protocol (CARP), a free alternative to Cisco's patented HSRP/VRRP server redundancy protocols
- PF, an IPv4/IPv6 stateful firewall with NAT, PAT, QoS and traffic normalization support
- Unbound, a DNS validating resolver
- dhcpd, a Dynamic Host Configuration Protocol (DHCP) server
- pfsync, a firewall states synchronization protocol for PF firewall with High Availability support using CARP
- spamd, a spam filter with greylisting support designed to inter-operate with the PF firewall
- sndio, a compact audio and MIDI framework
- Xenocara, a customized X.Org build infrastructure
- cwm, a stacking window manager
- tmux virtual console multiplexer
- The X.Org Server
- GNU Compiler Collection
- GNU Binutils
- GNU Debugger
All of this is in the base system of the operating system and it is a part of a standard OpenBSD installation. All the base parts of the system comes with OpenBSD-specific patches, changes and improvements for increased security.
Besides from the above OpenBSD provides, as of writing, more than 9.700 installable applications via the OpenBSD package manager. However, it is important to note that even though you are advised to use the precompiled packages over manually building software from the ports collection, the package collections for the "release" and "stable" branches of OpenBSD doesn't get package upgrades. This means that security updates for packages are only available through the ports system when you are running the "stable" branch.
When serious bugs or security flaws are discovered in the applications in the ports collection, they are fixed in the "stable" branch of the ports tree. Contrary to the base system, the "stable" ports only gets security backports for the latest release. This means that if you're using third party applications you need to check out the correct branch of the ports tree, and build the software manually. The ports can be kept up to date with CVS and you can subscribe to the ports-changes mailing list in order to receive security announcements related to applications in the ports tree.
Another very valid solution is to run with the "current" branch of OpenBSD. The "current" branch is where active development occurs, but the developers are very careful not to introduce new features that may cause the system any problems. The "current" branch is kinda equivalent to a "rolling release" model.
Since the ports collection is related to software from third party providers it does not go through the same thorough security audit that is performed on the OpenBSD base system. The OpenBSD project does not have enough resources to ensure the same level of robustness and security with ports as they do with the base system.
Take a look at the OpenBSD project website for further information.