DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th September 2016
beiroot beiroot is offline
Shell Scout
 
Join Date: Sep 2016
Posts: 86
Default FreeBSD 10.3 vs OpenBSD 6.0

Hi Experts,
I know there is a gazillion other pages, threads and articles on this topic - I've read them all. However, most (if not all) of them are outdated - meaning they don't compare FreeBSD 10.3 to OpenBSD 6.0.
Could you please tell me what is the difference between those two systems - especially regarding security? E.g. about the PF implementation, anit-exploitation mechanism, pledge() ... and many many other security-related topics.

I asked this question on FreeBSD forum and I got some really interesting answers. They also encouraged me to ask you guys the same questions and it's a good idea. I'd love to hear your opinion on this.
Reply With Quote
  #2   (View Single Post)  
Old 14th September 2016
vermaden's Avatar
vermaden vermaden is offline
Administrator
 
Join Date: Apr 2008
Location: pl_PL.lodz
Posts: 1,056
Default

FreeBSD - focus on all round features and performance
OpenBSD - focus on security and proper implementation

For FreeBSD You have features like GELI, ZFS, Boot Environments, Jails, Virtualbox, Capsicum, GEOM Framework, PKGng, Bhyve, Nvidia Binary Drivers, ...

For OpenBSD You have features like Pledge, VMM, Encrypted SWAP by Default, Newer PF, ...

For some people suspend/resume works better on OpenBSD, for some on FreeBSD.

If You need modern storage or virtualization, You use FreeBSD.

If You are already profficent in FreeBSD, then why use OpenBSD? Newer PF or some ALIX box that OpenBSD may run better then FreeBSD, or SUN SPARC T1000 which is not supported by FreeBSD, or for home router/wifi/switch/firewall, but for today multicore CPUs and tens of gigabytes of RAM and terabytes of storage with multiple disks I do not see a place for OpenBSD.

When OpenBSD developers will adapt HAMMER or HAMMER2 filesystem from DragonflyBSD and VMM would be usable to run Windows in it, then I COULD change my mind, but for now, besides some VERY specific needs, I would run FreeBSD, but thats me. Decide for Your own.

Regards,
vermaden
__________________
religions, worst damnation of mankind
"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.
vermaden's: links resources deviantart spreadbsd
Reply With Quote
  #3   (View Single Post)  
Old 14th September 2016
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

If you are going into an area known to be contaminated with lethal diseases, do you get vaccines or do you wear a rubber suit? In an ideal world, you do both, but if you had to choose only one it really comes down to personal preference.

FreeBSD vs. OpenBSD is something like that. Some people prefer the rubber suit, some prefer vaccines.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #4   (View Single Post)  
Old 14th September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by rocket357 View Post
If you are going into an area known to be contaminated with lethal diseases....
Brilliant. Amusing. Entertaining. And in the event this question was some professor's assignment, perfectly unhelpful.

I saw the same question posted last week on Reddit, either /r/bsd or /r/openbsd.

Hopefully, everyone who responds technically gets partial credit hours.
Reply With Quote
  #5   (View Single Post)  
Old 14th September 2016
Funkygoby Funkygoby is offline
Fdisk Soldier
 
Join Date: Aug 2015
Posts: 57
Default

On my x61s, OBSD as improved in performance compared to 5.7. With 6.1 promises it is time to reconsider the debian wheezy <-> OBSD switch.

OK! Let's go noob-technical!
My opinion as a not so experienced (but biased) OpenBSD desktop user:
-Performance: FBSD felt more responsive than OBSD around 10.1 vs 5.7. Now 6.0 feels fine on my x61s (with softdep in fstab).

-Hardware compliant: On my thinkpad, OBSD is just fine. FBSD couldn't suspend/resume, backlight did'nt work etc... Maybe 11.x will improve?
OBSD is NOT a features-OS, it won't follow every last chips. 3-4+ years-old non-nvidia thinkpads are your best bet but there are people currently hacking on chromebooks, HPs, etc...
For nvidia, go FBSD.

-ease of setup/use: OBSD wins here. For example: I couldn't shutdown/restart/suspend/hibernate with xfce. No worry, I opened the pkg_readme and spent 15sec finding the answer. Problem solved.
FBSD handbook is cool but I couldn't find my way as easily as I do in OBSD. A Linux desktop feel even messier compare to the BSDs.
OpenBSD has an oustanding audio stack/server (an audio server!! who would have guessed?).
httpd was easily set up too. Compared to Android where I will never figure out how to re-enable UMS or had to hack my through making my app able to write on sdcard.

-security: Can't speak much here, I have never been hacked (I guess) or run sensible system. First, are you planning to use only base or base+ports+3rd party+etc...
Security-wise OBSD's base seems a very safe bet considering the care given to the designs and implementations. I never mustered the courage to configure sudo but I feel confident with doas hence less miss-configurations. The code is maintained (read the reports of hackathlon on undeadly.org), the devs pay attention to details.
As soon as you build up your system with ports, you are doing compromises. Do you trust firefox? Are you sure the last vulnerability is patched in the port? Basically your system is as weak as your weakest port I suppose. So FBSD ports vs OBSD ports? Or maybe sandboxing (FBSD jails, linux sandboxing) vs OBSD pledge()&co (the most popular ports are being pledged) ? Is sandboxing a testing/developpement tool or a security mechanism?
With 3rd party software, the security question is less obvious. Your call...
For me it's OBSD+xfce+firefox+vlc and the likes.

-community: Both seems fine. I like Tedu' blog (doas basics in a blog post), bsdnow or undeadly.org for news. About the leadership, here, I believe a benevolant dictatorship makes more sense than a democracy. OBSD focus seems more defined than FBSD.


tl;dr
Write down your needs. Try both. Get an opinion.

P.S:
PF is more advanced in OBSD obviously and its SMP perfs is catching up FBSD.
About pledge, I suggest you listen to Theo making a comparison of security mitigation https://www.youtube.com/watch?v=a_EYdzGyNWs Very instructing.

Last edited by Funkygoby; 14th September 2016 at 08:30 PM. Reason: typo, grammar, non-sense
Reply With Quote
  #6   (View Single Post)  
Old 14th September 2016
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by Funkygoby View Post
Write down your needs. Try both. Get an opinion.
+1

Empirical testing is the best answer beiroot can get. Testing both systems will reveal one's real priorities, & show which project will meet these needs.
Reply With Quote
  #7   (View Single Post)  
Old 15th September 2016
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by jggimi View Post
Brilliant. Amusing. Entertaining. And in the event this question was some professor's assignment, perfectly unhelpful.
Excellent to see my intentions came across crystal clear

I know what I don't like about OpenBSD and FreeBSD because I've used them. Likewise, I know what I do like about OpenBSD and FreeBSD because I've used them. It's the only way to know for certain if something meets your needs.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #8   (View Single Post)  
Old 16th September 2016
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Some people need software not available natively for *BSD, but available for Gnu/Linux. In this case they can dualboot, but if they use FreeBSD they also can use binary compatibility with Linux. Linux compat was updated in FreeBSD in recent releases.

If you mind FreeBSD-like system and security there is HardenedBSD, but I don't know if said compat layer works there.

I use OpenBSD, because I like simplicity and I think it is quite secure.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase

Last edited by e1-531g; 16th September 2016 at 10:15 AM.
Reply With Quote
  #9   (View Single Post)  
Old 19th September 2016
beiroot beiroot is offline
Shell Scout
 
Join Date: Sep 2016
Posts: 86
Default

Oh good lord! I thought this thread was dead! Why have I not received any notifications?!

Thanks a lot for all your answers and suggestions. I'm currently running Free and OpenBSD on my VMs and playing with them merciless. So far I feel I have too little experience to discuss details but the overall security is the reason why I'm trying/comparing these two BSDs.
Just a theoretical question. Are there any ongoing security research in those systems? Any particular topics being investigated?

I'm also thinking about setting up OpenBSD on my old Toshiba netbook just to see how it manages as a desktop. From what I've read OpenBSD developers use it as their desktop (while FreeBSD don't - true?). If yes that would be a sign of OBSD true devotion)
Is OpenBSD smooth for everyday use? I've heard there are annoying things Like lack of flash (which I know can be a blessing) etc. Any others? I heard OBSD+ThinkPad makes a nice couple. I'll see with my Toshiba anyway.
Reply With Quote
Old 19th September 2016
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by beiroot View Post
Just a theoretical question. Are there any ongoing security research in those systems? Any particular topics being investigated?
The OpenBSD project does publish its goals:

http://www.openbsd.org/goals.html

...but plans for implementing specific features, & their priorities are not publicly stated. Having said that, readers of the misc@ & tech@ mailing lists can see what is being publicly discussed & surmise the immediate direction. Information on subscribing to the mailing lists can be found at:

http://www.openbsd.org/mail.html
Quote:
I'm also thinking about setting up OpenBSD on my old Toshiba netbook just to see how it manages as a desktop. From what I've read OpenBSD developers use it as their desktop (while FreeBSD don't - true?). If yes that would be a sign of OBSD true devotion)
Is OpenBSD smooth for everyday use? I've heard there are annoying things Like lack of flash (which I know can be a blessing) etc.
I use OpenBSD, nearly exclusively, for all my computing needs everyday. No, it does not have every conceivable desktop gadget, but my goal is simply to get work done.
Reply With Quote
Old 19th September 2016
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Quote:
Originally Posted by beiroot View Post
Is OpenBSD smooth for everyday use?
Smooth is subjective term.

Firefox runs slower than in Gnu/Linux, but for me smooth enough. You can watch Youtube.

If you have GPU which is supported by drivers in OpenBSD you can watch HD movies (at least 720p and 1080p) using mpv. It shouldn't stress yours CPU too much.

Editing 10 pages documents inside LibreOffice Writer is smooth.

Browsing PDFs using Evince is smooth.

__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase

Last edited by e1-531g; 19th September 2016 at 06:17 PM. Reason: Added picture
Reply With Quote
Old 20th September 2016
beiroot beiroot is offline
Shell Scout
 
Join Date: Sep 2016
Posts: 86
Default

Thanks Funkygoby for a thorough answer and additional links.

Thanks vermaden for feature comparison and miło spotkać rodaka na obcej ziemi

Thanks ocicat for the links and some introduction. I'll definitely look more into it - especially the mailing lists.

Thanks e1-531g for the table you attached - it's a nice graphical summary of the question I asked in the first post. Looking at the date in the link - is it up to date? Meaning state form OBSD 6.0 vs. FBSD 10.3?

Last edited by beiroot; 20th September 2016 at 12:40 PM. Reason: credits to all those who deserved them
Reply With Quote
Old 20th September 2016
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

Quote:
Originally Posted by beiroot View Post
Thanks e1-531g for the table you attached - it's a nice graphical summary of the question I asked in the first post. Looking at the date in the link - is it up to date? Meaning state form OBSD 6.0 vs. FBSD 10.3?
Yeah, it looks about right unless the FreeBSD people have made miles of progress in the last year.

Note that Linux also ticks a bunch of these boxes − and has for years. FreeBSD is really lagging behind here.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Old 21st September 2016
vermaden's Avatar
vermaden vermaden is offline
Administrator
 
Join Date: Apr 2008
Location: pl_PL.lodz
Posts: 1,056
Default

Quote:
Originally Posted by beiroot View Post
Thanks vermaden for feature comparison and miło spotkać rodaka na obcej ziemi
Welcome, wzajemnie
__________________
religions, worst damnation of mankind
"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.
vermaden's: links resources deviantart spreadbsd
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FreeBSD user going to try OpenBSD Trihexagonal OpenBSD Packages and Ports 5 27th May 2012 08:55 PM
Mac Mini - OpenBSD or FreeBSD roddierod OpenBSD Installation and Upgrading 22 17th May 2012 05:08 PM
Installing FreeBSD on an OpenBSD disk Carpetsmoker FreeBSD Installation and Upgrading 1 26th January 2010 10:28 AM
Ipsec freebsd openbsd failure kasse OpenBSD General 3 31st December 2008 01:42 AM
which Flash Drive I must buy for FreeBSD and OpenBSD mfaridi General Hardware 18 22nd October 2008 07:43 PM


All times are GMT. The time now is 04:36 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick