OpenBSD's Good Example
by Noel
It may seem odd to start an article about OpenBSD by talking about
Linux. I talk about my experience and love of Linux so that I will
not be mistaken for one of the *BSD rocks Linux sucks crowd. There
are important lessons to be learned from OpenBSD that those in the
Linux community must not ignore.
I have been using Linux from the summer of 1994 until today. I loved
it when I started using it and I love it today. I have used it as a
desktop and as a server. A few years ago on the fourth of July I
declared independence and removed the windows partition on my machine.
I had kept Windows around to run Quicken, but decided that I would
find a Linux replacement or do without.
I have been hearing about this OpenBSD thing for a long time. I had
been interested but Linux did everything that I needed it to do. I
still found reading about OpenBSD interesting. It was an operating
system designed to be secure from the minute you finished
installing. One that you never saw articles about entitled: "How to
secure your OpenBSD box".
Over the six years that I have been using Linux it has taken more and
more work to secure a machine once I have installed it from the CD.
Some of this is from my skill level and knowledge increasing and some
is from the additional software and services that the distributions are
including. The last Linux installation I did on my machine at home
took much more time to secure than it did to install.
At work I support Sun Solaris machines. They also suffer from the
problem of having a lot of things to secure once they are
installed. The installations leave a lot of services open and daemons
running.
This is of course not really a Linux problem. The Linux
kernel is the least of our worries it is instead the software in the
distribution that is the problem. The organizations that build the
distributions in the most part configure them to have
the most services running and do not set them up with security in mind.
This is a big problem for Linux. You should not have to be an expert
to get a secure Linux machine. There are just not enough Linux
experts to go around and there will be many unsecured Linux machines
on the net.
I want Linux to continue to grow. I want it to grow in the
desktop, server and palmtop/embedded areas. The more Linux grows the
more software and games will be available. The more it grows the more
hardware will be supported. However a deserved reputation for being
insecure will not make Linux grow and will retard its growth.
So a couple of weeks ago I ordered an OpenBSD 2.7 CDROM and installed
it on a upgraded 486 I had laying around. The machine I installed it
on was a Pentium 83MHZ upgrade, 40MB ram, two 350MB hard drives with
an NE2000 Ethernet card.
The install went well. The disk formating tool that is called
disklable could be difficult for someone who has only installed
Linux. It is not as friendly as fdisk, or some of the other Linux
tools. I have used similar tools under Digital Unix (aka OSF/1 and
True 64) and Solaris so I did not have any problems with it.
I am not going to go into great detail about the installation. The
only problem I had was with the Ethernet card. The card that was in
the machine was an old NE2000 card that I had picked up at a going out of
business sale a couple of years ago. I had no idea what brand it was
and it being a jumperless card could not change the IRQ and port on
the card. This caused a problem with getting the card to work under
OpenBSD. I solved this by running over to the store and buying a
eleven dollar Ethernet card.
The thing I appreciated first about OpenBSD was that it was not
running lots of unneeded services. There was not hours of work needed
to secure everything and turn off a bunch of daemons that I did not
need.
The next impression I had was how usable as a desktop it was. I had
a picture in my mind of OpenBSD as a striped down Unix that was secure
because it
did not offer much. Instead of this I found a system that installs a
minimum of software but that has a lot of packages that can be
installed. The X windows was configured with the fvwm window manager.
Set up almost
like I run my normal working environment. In the tradition of the more
someone agrees with you the smarter they are, the person that set up
X Windows is a genius. Setting everything up is going
to take more effort than it does under a Linux distribution that
installs 3GB of software but the end result would still be a very
usable desktop environment.
It is my opinion that there are many lessons in how OpenBSD is put
together that the Linux
community needs to take note of. We need to have distributions that
come secure out of the box. We need to have options for major
distributions that tighten things up.
OpenBSD's security goal is:
"OpenBSD believes in strong security. Our aspiration is to be NUMBER
ONE in the industry for security (if we are not already there). Our
open software development model permits us to take a more
uncompromising view towards increased security than Sun, SGI, IBM, HP,
or other vendors are able to. We can make changes the vendors would
not make. Also, since OpenBSD is exported with cryptography, we are
able to take cryptographic approaches towards fixing security
problems."
They believe in full disclosure and they have been doing security audits
on their code for four years. This has saved them from being
vulnerable to many exploits and problems that effected other operating
systems.
The OpenBSD security page says the following about their auditing
process:
Another facet of our security auditing process is its
proactiveness. In most cases we have found that the determination of
exploitability is not an issue. During our ongoing auditing process we
find many bugs, and endeavor to fix them even though exploitability is
not proven. We fix the bug, and we move on to find other bugs to
fix. We have fixed many simple and obvious careless programming errors
in code and only months later discovered that the problems were in
fact exploitable.
They also talk about not requiring their users to be a security expert
as soon as they install OpenBSD.
To ensure that novice users of OpenBSD do not need to become security
experts overnight (a viewpoint which other vendors seem to have), we
ship the operating system in a Secure by Default mode. All
non-essential services are disabled. As the user/administrator becomes
more familiar with the system, he will discover that he has to enable
daemons and other parts of the system. During the process of learning
how to enable a new service, the novice is more likely to learn of
security considerations.
This is in stark contrast to the increasing number of systems that
ship with NFS, mountd, web servers, and various other services enabled
by default, creating instantaneous security problems for their users
within minutes after their first install.
Why do we in the Linux community produce distributions that require
the user to be a security expert? Why don't we at least add a "Secure
by Default mode" to our distributions? If we are aiming at the
desktop then turn off what the desktop user does not need or use
something like ipchains to
filter some of the services we are running from the outside world.
I am not claiming that the makers of the distributions do not care
about security. However they do as a rule configure their
distribution to maximize the services available and to make things
always be as easy for the user as possible. This is not all bad but
I believe it must not be taken to an extreme that gives the user a very
usable system that is also very unsecure.
I am also not claiming that no one in the Linux community is doing
anything about this. There are two auditing projects that I know of:
the Linux Security-Audit
Project and the
Linux Kernel Auditing
Project. There are also people working on secure distributions of
Linux such as
Trustix Secure Linux and
Bastille Linux. The makers
of other distributions should be following the example of the secure
distributions and providing as much support as they can to the
auditing projects.
We will all benefit from Linux and Linux distributions becoming more
secure. If we will not try to be number one in the industry for
security as OpenBSD does then perhaps we can work towards having some
distributions be a close second.
| 