Quote:
Originally Posted by Monti
Just found the "The insecurity of OpenBSD" and was curious to see if there was a comment on the article here on deamonforums.
|
A few thoughts.
It states that only the base system is audited. By and large, this is true. But the author implies base auditing is useless because it doesn’t guarantee the security of ports. This misses two points: first, the base system is very full‐featured and there is a
lot you can do with just base software. You can run mail, web, routing, DNS, and much more without any packages. That’s great, especially for people who are running a machine specifically for such services.
Secondly, OpenBSD provides many security benefits that do help you even if you’re running ports. LibreSSL provides a good base for any application using SSL and removes functionality for insecure ciphers even in ports programs. Nearly every program in ports is compiled with PIE. The stack protection and ASLR affects ports programs. And so on.
Finally, the guy spends the bulk of the article decrying the lack of MAC and ACLs. He gives a cursory mention of OpenBSD’s main argument against them—that they are too complex, leading people to misconfigure them or disable them entirely—but promptly ignores it. He also implies that lack of these features is a dealbreaker, when in fact most situations simply don’t need them. (I mean, have
you ever used ACLs?)