Contributed by deanna on from the press dept.
InfoWorld's Security Advisor columnist Roger A. Grimes says: "Kick off 2007 with a new, more secure operating system." Citing OpenBSD's code-auditing security process and its excellent security record, Grimes advises readers to give the system a try. Despite repeating some old canards about the "unfriendly" install, he notes favorably that "OpenBSD is shipped secure-by-default, with all non-essential services disabled. You won't find NFS, mountd, or Apache [httpd] enabled by default. The /bin and /sbin folders will be emptier than other Linux or BSD distros. Install OpenBSD and you can be assured that it doesn't default to an insecure state."
http://www.infoworld.com/article/06/12/29/01OPsecadvise_1.html
(Comments are closed)
By FuzzyButt (Fuzzybutt) on
Comments
By Roger A. Grimes (70.168.215.83) roger@banneretcs.com on http://weblog.infoworld.com/securityadviser/
Man, many of you are a tough crowd. I'm trying to promote OpenBSD and most of ya'll are jamming me. Yes, I run Windows most of the time, although I get paid to teach Windows and Linux security classes for Foundstone and others. I set up PF firewalls and OpenBSD honeypots using Snort and Honeyd (among other architectures). I'm not a strong OpenBSD user, but I'm a user and implementer...and more importantly I've been a passionate supporter for many years.
Yes, the editor changed the article many ways (like she normally does), including making OpenBSD sound tougher to install than it is, she shortened the 1 exploit statement, and she took out the $50 CD purchases to support OpenBSD. I normally get 400-600 words to write the column and I turned in 859 words...it's what happens during an edit, especially during the Christmas holidays. Wait until you write for living one day.
I appreciate those of you who saw what I was trying to do...which was promote OpenBSD in a forum where it isn't normally supported. If you read more of writings over the last few years, you'd see my support of OpenBSD in many more columns, although in smaller side comments. For everyone who wants to help me in this endeavor, send me all your factual corrections and I'll post them in my blog.
Sincerely,
Roger A. Grimes
By Chris (68.13.195.18) on
Don't forget about the CDROM sales and donations which support OpenBSD to operate.
By Anonymous Coward (85.178.68.165) on
Also does X listen by default.
Comments
By Michiel van Baak (mvanbaak) undeadly@vanbaak.info on http://michiel.vanbaak.info
> Also does X listen by default.
/etc/inetd.conf has everything commented out by default.
X will only start by default if you install it and edit rc.conf to enable xdm. By default it wont start on boot.
X will only be on workstations, and you never connect those to the internet without a OpenBSD pf box in front of it right ?
Comments
By Anonymous Coward (74.115.21.120) on
> > Also does X listen by default.
>
> /etc/inetd.conf has everything commented out by default.
No it doesn't. Its running time, daytime, and identd.
> X will only start by default if you install it and edit rc.conf to enable xdm. By default it wont start on boot.
So running "startx" should open you up to remote holes for no reason? Just so you can run a graphical web browser?
> X will only be on workstations, and you never connect those to the internet without a OpenBSD pf box in front of it right ?
Wrong. I shouldn't need a firewall at all since I have no intention of running any services. Its a workstation, not a server. I shouldn't need to hide behind a firewall to block access to services my OS is running on me. What is this, windows?
By Igor Sobrado (sobrado) igor@string1.ciencias.uniovi.es on
> > Also does X listen by default.
>
> /etc/inetd.conf has everything commented out by default.
> X will only start by default if you install it and edit rc.conf to enable xdm. By default it wont start on boot.
> X will only be on workstations, and you never connect those to the internet without a OpenBSD pf box in front of it right ?
/etc/inetd.conf has some services enabled by default, but these services are needed.
- the smtp, submission and biff services are required for some subsystems (e.g., the daily/weekly/monthly scripts, cron...) and applications (e.g., vi(1)) to send email to users. These services are secure as they are listening to the loopback interface by default. The smtp message submission (RFC 2476) is used for MUAs to introduce messages into the MTA routing network (more useful when listening to public addresses, indeed, but useful on a local scope too). biff is not a network service, it can be listening on the loopback interface.
- auth is useful to improve speed in communication with remote MTAs, in some cases sending email is not possible if this service is disabled. It is useful for IRC too. So, it is a required component for a machine running a MTA. A simple service than can hardly be vulnerable.
- time and daytime are used for time synchronization (using rdate(8)). Another simple protocol, that can be trusted. Critical on any complex infrastructure and when tracking activities on logs stored on different computers. Very useful (sometimes NTP is overkill) and secure. These services are certainly required in firewalls.
I agree, X11 listening on ports 6000+x is annoying. As machines running X servers are usually workstations at internal networks protected by firewalls it is not an big issue either.
Comments
By Igor Sobrado (sobrado) igor@string1.ciencias.uniovi.es on
Comments
By Anonymous Coward (74.115.21.120) on
Because moderation is (ab)used to reward groupthink and punish people who have the audacity to say something unpopular. Facts have nothing to do with it at all.
By Anonymous Coward (83.233.170.152) on
> - auth is useful to improve speed in communication with remote MTAs, in some cases sending email is not possible if this service is disabled. It is useful for IRC too. So, it is a required component for a machine running a MTA. A simple service than can hardly be vulnerable.
"A simple service than can hardly be vulnerable." That's dangerous talk.
>
> - time and daytime are used for time synchronization (using rdate(8)). Another simple protocol, that can be trusted. Critical on any complex infrastructure and when tracking activities on logs stored on different computers. Very useful (sometimes NTP is overkill) and secure. These services are certainly required in firewalls.
time and daytime services are not needed for rdate! I turn off inetd in rc.conf, and it has no effect whatsoever on my ability to sync up with my ISP's NTP server. And no, those services are defintely NOT required for firewalls. You should be doing an rdate sync to your trusted source on boot, then running OpenNTPD (not listening on ports and acting as an NTP server) to keep everything in time when the box is up.
>
> I agree, X11 listening on ports 6000+x is annoying. As machines running X servers are usually workstations at internal networks protected by firewalls it is not an big issue either.
Mmmmm, because there are never any attackers within the internal network, are there?...
By grg (grg) on
Really? I was under the impression that "Only one remote hole in the default install..." meant exactly that.
Am I a fool, or is this Roger fellow spreading FUD?
Comments
By Igor Sobrado (sobrado) igor@string1.ciencias.uniovi.es on
>
> Really? I was under the impression that "Only one remote hole in the default install..." meant exactly that.
> Am I a fool, or is this Roger fellow spreading FUD?
You are right. Sometimes bugs have been found on the base system, but on subsystems that are disabled by default or cannot be exploited to get root access. It is not a kernel-only bug count. In fact, if I am not wrong the "only remote vulnerability found on OpenBSD" was related with OpenSSH, not with the kernel itself.
By Anonymous Coward (74.115.21.120) on
>
> Really? I was under the impression that "Only one remote hole in the default install..." meant exactly that.
> Am I a fool, or is this Roger fellow spreading FUD?
Not spreading FUD, he's just clueless. Apart from the totally nonsense remote hole kernel paragraph, there's all this:
"They worked hard to scrub every proprietary and non-open piece of source code out of the kernel"
No, the whole OS not just the kernel.
"Mac (both Motorola and iMac chipsets)"
Yeah, the iMac chipsets are much better than the Motorola chipsets.
"FTP supports HTTPS."
The command "ftp" does, but the protocol "FTP" does not. It doesn't even make sense.
"Security comes at the price of decreased user friendliness and difficult installs from a lack of supported drivers."
No it doesn't. OpenBSD is the most user friendly unix available, and with the best installer. The lack of drivers has nothing to do with security, and everything to do with corporate bullshit.
"OpenBSD is shipped secure-by-default, with all non-essential services disabled."
No it isn't, inetd is running with time, daytime and identd by default.
"The \bin and \sbin folders will be emptier than other Linux or BSD distros."
Especially since they don't exist on any linux distro, and there's no such thing as a BSD distro.
The guy has obviously never actually used anything besides windows.
Comments
By Anonymous Coward (156.34.218.73) on
> The guy has obviously never actually used anything besides windows.
Yes. Clearly he is putting off "actually trying it" until the new year.
By Renaud Allard (renaud) on
> "The \bin and \sbin folders will be emptier than other Linux or BSD distros."
>
> Especially since they don't exist on any linux distro, and there's no such thing as a BSD distro.
>
> The guy has obviously never actually used anything besides windows.
As a general rule, people not knowing the difference between / and \ don't even have a clue about computers at all, and so are using whatever OS is loaded by default on their computer. Some may be journalists, which may eventually try to explain stuff they heard existing.
By Nate (Nate) Evil on
Comments
By Nate (Nate) on
Another of his follow-ups, with what corrections he's come up with listed therein http://weblog.infoworld.com/securityadviser/archives/2007/01/openbsd_column.html
By sthen (85.158.44.146) on
It's a real pity this is written as a how-to; directing people to the FAQ would be of far more service.
By Kenny (69.248.109.233) escapenguin@gmail.com on
Comments
By Hugh (86.0.61.145) hwangeruk@yahoo.co.uk on
I love the ethos of OpenBSD, and come back to it occasionally to "tinker" with it. I don't care if Theo is abbrasive (although I think he can be forgiven for having a difference of opinion with a couple of other projects people 10+ years ago now), in fact I like that his is a pedant as thats what makes quality code.
OpenBSD it easy to install up to console, but beyond that it's not easy.
I wish somehow the *nix people generally were more helpful to new people. This guy was being pretty generous in his article, he's saying "I use Windows, but you should check this other OS out". What a nice chap.
Then why did he get such a negative vibe? He is allowed to have an opinion on OpenBSD, and I for one agree with alot of his sentiment.
Rather than attack him, why not try and help?
Why the installer isn't more helpful at disk label time for e.g.?
I am no dummy, but coming back to OpenBSD after a spell away I forget exctly which labels I need, sometimes I remember /var and /tmp and /usr and /home, but then I might forget which order and how big to make them.
Bah, anyways, I know I am wasting my key clicks here. Nothing changes :)
Cheers to the OP, nice article.