OpenBSD Newbie with a lot of questions

[barntop47]

Hi there.

I've been using Linux for the last couple of years now and have recently taken an interest in OpenBSD, specifically because the developers of the Libre distro Hyperbola Gnu/Linux-Libre have announced they are developing a new hardfork of OpenBSD which they promise to be more secure and privacy respecting.

So I thought I'd familiarise myself with OpenBSD itself so, coming from Linux, I've got quite a lot of questions to ask.

• Is there a written installation guide for OpenBSD anywhere?
• How do I make a full-disk encryption install with LVM?
• How can I install OpenBSD in a multi-boot system?
• Are there any hacking or pen-testing tools and apps for OpenBSD just like Kali Linux or BlackArch?
• Can Docker or any equivalent container software be installed in OpenBSD?
• Can I create my own OpenBSD iso for live booting?
• Does OpenBSD have Firejail, AppArmor or any jailing equivalent?
• Can I install LibreSSL to replace OpenSSL? If so, how?
• Can I use OpenVPN on OpenBSD?
• Does OpenBSD use any kind of Ramdisk like tmpfs?
• Does anyone have any recommendations (apps, practises, settings, etc.) for new OpenBSD users, especially privacy and security-minded users?

Thanks.

[frcc]

https://www.openbsd.org/faq/

[jggimi]

Hello and welcome!

The FAQ is a great place to start, as frcc noted. It won't answer all of your questions, however, so I'll take a very brief stab at them:

----

• installation guide -- FAQ
• LVM - there isn't one.
• multiboot - FAQ
• pentest - some 3rd party tools in the package collection. Ports/packages are discussed in the FAQ.
• Docker - no
• Bootable live media - USB stick discussed in the FAQ
• Jails - nope. chroot(2) and privilege separation instead.
• LibreSSL - built in, my dude/dudette. Developed by OpenBSD devs, on OpenBSD. See https://www.libressl.org/
• OpenVPN - yes, from the package collection, discussed in the FAQ
• tmpfs - mount_mfs(8), and rd(4) which is used with install media (the RAMDISK kernel)
• Recommendations -- The OS doesn't usually require any "tuning" "hardening" or "tweaking" as the defaults are carefully considered. The only place where we generally don't use the defaults -- although we may start with them -- is disk partition sizing. There's no LVM, as noted above.

Culturally, this OS Project is different from all others. The Project's members work on the OS that they want, the way they want to, for themselves. We users can come along for the ride, if that suits us.

[jmccue]

For tmpfs, not really like Linux, but you can create a ramdisk. I have this in my /etc/fstab to create a 1gig 'tmpfs', took me awhile to understand what to do from the docs

Thus I put it here in case you want to do the same.

Code:

swap /mnt/tmpfs mfs rw,noatime,nodev,nosuid,-s=1g 0 0

Note, from my experience, OpenBSD uses a lot less memory than Linux so I never came close to maxing memory out and I think 1g is a bit large for my use-cases.

I created and did a chmod 1777 on /mnt/tmpfs prior to updating fstab

[CiotBSD]

hi

for pentester, you have the SecBSD Project: https://www.secbsd.org/
(absolutly based on OpenBSD with tools to audit security)

as Live System USB/CD, you have the FuguITA project: http://fuguita.org/?FuguIta
(always on OpenBSD stable with recents syspatches)
* maybe ResFlash - depends your project - : https://stable.rcesoftware.com/resflash/

For Tmpfs, as said others, not exists like into Linux, but you can do same with mfs:
- into the console/terminal system, i.e:

Code:

mount_mfs -i 1024 -s 8m -o "rw,nodev,noexec,nosuid" swap "${directory}"

- into fstab file:

Code:

swap ${directory} mfs rw,-i=1024,-s=8m,nodev,noexec,nosuid 0 0

(as examples)

(and personally, I dont use never 1777 rights on tmpfs ; only 700, maybe 0705, it's enough)

[gpatrick]

Quote:

Jails - nope. chroot(2) and privilege separation instead.

Did they end vmm development? Although it is a hypervisor that is more comparable to bhyve than jails, it is still an option.

It would be interesting if NetBSD's sailor could be ported to OpenBSD.

[jggimi]

Development of the hypervisor is still ongoing. But a hypervisor is not a process jail.

[Sehnsucht94]

Quote:

Originally Posted by gpatrick

It would be interesting if NetBSD's sailor could be ported to OpenBSD.

sailor's been stagnating for a long time now, last commit is dated 2017, as iMil@ in the meantime moved to Kubernetes and seems to be focusing on it. At this point, I think it's safe to assume the project won't come to light in the foreseeable future.