DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th April 2013
barti barti is offline
Shell Scout
 
Join Date: Jul 2012
Posts: 122
Default privilege separation ?

Hi again,


I want to ask about privilege separation, it is from this link.

http://allthatiswrong.wordpress.com/...ty-of-openbsd/


--------



> Since the majority of attacks are not against the base system but against software operating at a higher level actively
> listening over the network, it is likely that if an OpenBSD machine were attacked, it would be through such software.
> This is where OpenBSD falls down, as it provides no means to protect from damage in the event of a successful attack.


What BS! You don’t seem to be aware that OpenBSD lead the charge years ago for “priv sep”, and to this day installs
every single ‘ports/packages’ daemon with a distinct, non-privileged userid – a good idea which not only proves that your
statement above is based on ignorance, but provides “secure by default” a strong measure of what the formal approaches claim to offer
but make complex to implement. And it’s also been copied into leading Linux distributions, e.g., Android does exactly the
same thing for every app you install.

--------

Many people indeed dismiss openbsd because of this idea, openbsd wont save you from sql attacks or bad php code.


I don't get it, is that true? does "privilege separation" really is a saver or not?

a real advantage even against sql attacks or php code problems ?

If not, then openbsd is useless as a web server .



Thanks .
Reply With Quote
  #2   (View Single Post)  
Old 6th April 2013
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by barti View Post
does "privilege separation" really is a saver or not?
Privilege separation limits the access of the application to only what it needs to execute. Nothing more.
Quote:
a real advantage even against sql attacks or php code problems ?
This is a broader problem class which privilege separation by itself does not address, nor can it.
  • Most SQL vulnerabilities stem from incorrectly formed SQL which reveals table information not intended to be made public, or more simply deletes tuple values. This is caused by poor application design & implementation, not privilege separation.
  • PHP coding errors are caused for numerous reasons, but most often through inexperience.
Quote:
If not, then openbsd is useless as a web server .
Such wildly inaccurate & unsubstantiated claims really don't help anyone.
Reply With Quote
  #3   (View Single Post)  
Old 7th April 2013
barti barti is offline
Shell Scout
 
Join Date: Jul 2012
Posts: 122
Default You are right , I'm sorry

But when I try to prove to people that openbsd is superior to linux in terms of security I have troubles.



I really don't understand whats the point of using openbsd with dynamic content like drupal or joomla.
Reply With Quote
  #4   (View Single Post)  
Old 7th April 2013
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

If you're going into the setup with the idea that you're hard-set on running wordpress with poorly written plugins, OpenBSD won't save you. This is true.

When building an application stack, you MUST take everything from hardware to the userbase into consideration. If any one of those is a broken link, the rest typically won't matter.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #5   (View Single Post)  
Old 7th April 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

A chain is as strong as its weakest link
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 7th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by barti View Post
But when I try to prove to people that openbsd is superior to linux in terms of security I have troubles.



I really don't understand whats the point of using openbsd with dynamic content like drupal or joomla.
If you don't understand it or believe in it yourself, you will not be able to convince other people.

In order to be able discuss "Security" you must first define the term and how it applies to the needs of your entire application and its infrastructure.

Security does not come from an OS. Security is not an installable program. Security is not a feature.


Instead, security is a series of processes inherent to the designs of your applications and their underlying systems. Security includes careful risk assessment and mitigation planning, and active monitoring of an implementation in order to reassess/reconfigure as required.
Reply With Quote
  #7   (View Single Post)  
Old 7th April 2013
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by barti View Post
But when I try to prove to people that openbsd is superior to linux in terms of security I have troubles.
"Proving" any sort of superiority to others is a waste of time. Security isn't a question of "my OS is better than your OS". The real question is how well do you as an administrator understand the underlying issues & what are you doing to minimize the risks? Security is attained through process, not by putting blind faith into unknown software.

Don't expect to master these topics quickly. Fluency comes with lots of study & pondering the more important questions.
Quote:
I really don't understand whats the point of using openbsd with dynamic content like drupal or joomla.
This appears to be an important question to you. I would suggest you spend time researching the subject. Research what measures Drupal, Joomla, or whatever software you choose offers. Better locations for study include the projects' mailing lists. The underlying problems you face are hard, & the answers you look for will not always be clear. Depending on where you go, the advice & opinions you will get may be contradictory. Your goal is to attain sufficient knowledge & background such that you can ferret out what is unimportant from that which is important.

Again, this knowledge will not be attained quickly. You will not find a definitive answer at a single site. You need to read a great deal & put significant time into research & planning. Thinking will be required.
Reply With Quote
  #8   (View Single Post)  
Old 8th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default A holistic approach to security is required

Barti,

Some months ago, I designed and tested an infrastructure for a web application with dynamic content. Security considerations were part of the design. The server infrastructure -- web, application, load balancers, and database servers -- are designed to be geographically dispersed.

Some of the security decisions were:
  • Communication with client browsers are via HTTPS only.
  • Internet communication between servers are only via IPSec tunnels, further filtered via PF
  • Intranet communication between servers in one location are restricted by PF, and in addition via IPSec tunnels where packets are not on independent, secure (V)LANs.
  • The webservers PHP code resides on a read/only filesystem
  • Remote administrative access permitted only via two factor authentication -- implemented with ssh(1) PKA and a required passphrase.
OpenBSD was the platform of choice, but it was not a requirement. OpenBSD's implementations of nginx(8) for web server, relayd(8) for load balancing and intra-server routing, pf(4) for packet filtering, and ipsec(4) for network encryption are easy to configure and use but there are other OSes, and other solutions for the same problems.

Are there benefits to OpenBSD's implementations? Absolutely. For example:
  • nginx runs chrooted in /var/www and with privilege separation.
  • The application servers run php-fpm chrooted as well. Privilege separation is not needed as there is no requirement for superuser function.
Please note that privilege separation is just one component of many in this particular infrastructure. Its value? In the event of a successful attack on the nginx webserver, any arbitrary code executed in that attack will be limited to the capability of a standard user. More important to me is the arbitrary code cannot reach beyond /var/www on the webservers, as OpenBSD's implementation chroots nginx.

Combined, the two security features protect the OS and other applications on the webserver. They do not directly protect the nginx webserver daemons. It is other choices and other infrastructure decisions made in combination that provide the level of security required for the application as a whole.
Reply With Quote
  #9   (View Single Post)  
Old 8th April 2013
barti barti is offline
Shell Scout
 
Join Date: Jul 2012
Posts: 122
Default recent attacks

Hi again,


So much attacks recently and I asked people, why don't you use openbsd ?

It seems that There is no big reason to use openbsd if you are a good linux sysadmin.


chroot can be done with linux as well.
Linux performs much better then openbsd.


And the argument will go on .........
Reply With Quote
Old 8th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by barti View Post
... I asked people, why don't you use openbsd ?
I'll repeat: security is not something you install. It's something you do. It must be 1) integral to your architectural design, 2) tested and confirmed, 3) modified to meet new threats as they are observed and understood.
Quote:
It seems that There is no big reason to use openbsd if you are a good linux sysadmin.
My number one reason I choose OpenBSD when possible to do so is for simplicity. Simplicity of administration, simplicity of use, simplicity of design, simplicity of internal architecture.

My number two reason for choosing the OS is security. Security by default, security of design, and built-in technologies that aid security, some of which I mentioned earlier in this thread. I won't deploy any other OS directly on the Internet.

I use other OSes when required. That requirement will be driven by the application or by the hardware.
Quote:
Linux performs much better then openbsd.
Then use it.

Just be aware that the OS you choose is just one factor of many when you consider any application's "security".

What I tried to tell you by my posts in this thread is that you need to consider all aspects of security of your application, not just your choice of OS. Think of your home... If you leave a window open, using a better lock on the front door isn't going to help very much. I try to ensure all the windows are closed and locked, as well as the door. OpenBSD comes with all windows closed and all doors locked, so I only need to make sure the new windows and doors I install are appropriately sealed.

Last edited by jggimi; 8th April 2013 at 07:34 PM. Reason: clarity
Reply With Quote
Old 8th April 2013
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

barti, posting an assortment of links without explanation is most likely going to be ignored by most readers, including me. Readers can only assume that it is randomly found information which might add to discussion, or it might not. You either don't want to bother with providing context, or are unable to do so. Since the importance or pertinence of such information has not been established, you aren't providing any reason for anyone to bother with taking the time to comment.

You should consider your readers; they are busy people. While most are open to providing opinions & guidance, we aren't going to do your homework for you.
Reply With Quote
Old 9th April 2013
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

http://www.cvedetails.com/cve/CVE-2011-2895/

Taken from your link, Barti.

States "The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8"

CVE was released in 2011. OpenBSD 3.8 was released in November 2005. In other words, the bug was fixed in OpenBSD six years before it was fixed in NetBSD, FreeBSD, Linux, etc...

How is this a vulnerability for OpenBSD, again?

You have to read the fine print.

Edit - This particular CVE is a perfect example of why I use OpenBSD (proactive bug hunting...it's really hard to exploit a bug in OpenBSD when the patch for it went in six years before it went public). The difference is, though, that I don't care what other people run. If they want to gamble with Linux because they're too lazy to do the research and put in the effort to maintain a system they're not familiar with, that's on them.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.

Last edited by rocket357; 9th April 2013 at 01:56 AM.
Reply With Quote
Old 9th April 2013
barti barti is offline
Shell Scout
 
Join Date: Jul 2012
Posts: 122
Default plone and python and openbsd

I meant that the cve shows that those three (plone and python and openbsd) are the clear winners in the security tests.


About cms, php and mysql are not security best friends.

Plone is much much better.

I thought it is obvious from the TOTAL in the page.
Reply With Quote
Old 9th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

These metrics should not be used as a comparison of security between products. The website is merely a consolidator of CVE data, and it does not guarantee any accuracy of its information. As rocket357 has shown with only one example above, each CVE must be individually examined for applicability. Carefully.
Reply With Quote
Old 9th April 2013
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Yeah, that was the point I was trying to make. Sure, you can say that Windows is "more secure" than Linux because the past three months Microsoft has had fewer CVE's...but then you figure up the "severity score" average and note that M$ has an average severity of 7.8 compared to Linux's 4.8 (numbers being pulled from the air, no basis in reality).

What does it mean? It means you're comparing apples to oranges.

If I run OpenBSD on my entire multi-million dollar infrastructure, and there exists one zero-day in OpenBSD that hasn't been patched yet and is remotely exploitable in the default install, what does it matter if there are fewer CVE's? See what I did there? CVE's aren't the problem, they are only a partial symptom of the problem. Granted, the odds of that occurring are incredibly low compared to "mainstream" operating systems, but it doesn't mean it *couldn't* happen.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.

Last edited by rocket357; 9th April 2013 at 09:03 PM.
Reply With Quote
Old 10th April 2013
barti barti is offline
Shell Scout
 
Join Date: Jul 2012
Posts: 122
Default I looked at the total

openbsd Total is 197 while linux total is 1000.



-------------

I made a comparison in the totals.

If you use plone+freebsd it is much more secure then linux+joomla
Reply With Quote
Old 10th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by barti View Post
I made a comparison in the totals.

If you use plone+freebsd it is much more secure then linux+joomla
I am not sure why, but you have missed the points the both rocket357 and I have tried to articulate in this thread.

Let me try to clarify. We believe that:
  • Counting CVE reports is not an accurate measure of the program's "security" design.
  • Comparing counts of CVE reports between programs is not a useful measure of their relative security.
  • Applications are deployed on integrated computing systems. CVEs reports are for individual programs or products, not for systems.
  • Systems design and implementation choices are of more importance to security than the selection of individual programs or products.
----


Edited to add:


My highlighted bullet is my belief and active practice. I haven't confirmed agreement on this with rocket357, and will accept correction, if my assumption is incorrect.

Last edited by jggimi; 10th April 2013 at 02:23 PM. Reason: typo, clarity
Reply With Quote
Old 10th April 2013
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

I agree with your last bullet point, jggimi.

50% of all of the "vulnerabilities" Microsoft ran across during the big code audit in 2002 (that eventually became Windows Vista), were "design" issues and not "implementation" issues. Design issues are considerably more intensive to fix than simple implementation errors (such as strcpy vs strlcpy or the like) and as such design issues are *more likely* to be neglected because the cost of fixing them is greater.

It's the same concept as "You cannot fix a bad algorithm by throwing more hardware at it":

"You cannot fix security by throwing individual programs at it."
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 10th April 2013
barti barti is offline
Shell Scout
 
Join Date: Jul 2012
Posts: 122
Default I think I now got the point.

But still , I think if you could find a "cve" for system security it will be similar to this cve.


plone is way more secure then joomla.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Security vulnerability in sudo allows privilege escalation J65nko News 0 5th March 2013 03:52 PM
Security Intel CPUs affected by VM privilege escalation exploit J65nko News 9 18th June 2012 11:51 PM
Performing network flow separation? beaute FreeBSD Security 0 27th May 2010 01:40 PM


All times are GMT. The time now is 04:31 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick