DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th September 2008
kungfujesus kungfujesus is offline
New User
 
Join Date: Aug 2008
Posts: 6
Thanked 0 Times in 0 Posts
Default I would like to secure a system

I'm running an application which uses a python app to access a SQL database on a server. I would like this computer running the app to use OpenBSD and would love to have the root file system encrypted, since physical access to it won't be all that difficult for many people. Does anybody here know a way to do this? I can't for the life of me find out how. I've found guides on encrypting individual file systems, but never the entire root. Linux allows for something like this so easily, I find it hard to believe BSD wouldn't.
Reply With Quote
  #2   (View Single Post)  
Old 28th September 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,609
Thanked 214 Times in 189 Posts
Default

This is not possible without modifying the kernel source code. And even then, it is only a theoretical possibility. This is because the root filesystem is pre-mounted as "root_device" by the kernel, prior to starting init(8).

You can, however, make the root filesystem physically read-only. Many users have done this over the years. For read-only IDE/ATA or SCSI attached devices, only /etc/rc need be modified. For an optical root device, the kernel will need a custom configuration, too.
Reply With Quote
  #3   (View Single Post)  
Old 28th September 2008
kungfujesus kungfujesus is offline
New User
 
Join Date: Aug 2008
Posts: 6
Thanked 0 Times in 0 Posts
Default

I guess my main concern is, will this stop somebody from popping in a livecd environment with an OpenBSD disk, mounting the root file system, chrooting, and running passwd?
Reply With Quote
  #4   (View Single Post)  
Old 28th September 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,609
Thanked 214 Times in 189 Posts
Default

Physical access is physical access. There is nothing to stop someone with it from doing whatever they want. e.g.: copying your read-only data somewhere else and modifying it. In that case, the only way to prevent access to encrypted data is to NOT leave the keys in unencrypted media.

The purpose of making a filesystem read-only is to prevent changes to it in the event someone is able to acquire superuser power remotely. This can be as simple as using a read only device, or setting the schg flag on all files in the filesystem.

If you don't trust those with physical access, either place your hardware in a trusted environment, or don't use OpenBSD.
Reply With Quote
  #5   (View Single Post)  
Old 28th September 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Software security cannot possibly protect you from physical security risks.. if this system is in an area that's not safe, relocate it to a safer area.

There are a few things you can do:
  • Set a BIOS password.. most support that.
  • Set the boot priority to boot from the hard drive only.
  • Remove any bsd.rd off the root partition...
  • Remove the 'secure' setting from ttyC* devices in /etc/ttys.
None of this will prevent someone from stealing the physical hard drive and mounting it in another system, physical security is *your* responsibility.

An encrypted root file system sounds nice, but it's simply unfeasible.. the 3rd level boot program, i.e: /boot is on the root partition.. the loader before that is primitive, it has the blocks hard coded into it, and due to architectural constraints.. i.e: a 512 byte PBR, a suitable decryption routine would be insanely hard to write.

Sorry.

Last edited by BSDfan666; 28th September 2008 at 04:33 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
how to secure my ftp? milo974 OpenBSD Security 3 4th August 2009 03:47 PM
Is this secure? Ungenious OpenBSD Security 4 30th November 2008 02:27 AM
secure ssh with public key milo974 OpenBSD Security 11 9th July 2008 04:52 PM
obsd 4.3 secure ssh use milo974 OpenBSD Security 9 3rd July 2008 11:23 AM
Which file system use to share data on Bsd system? aleunix Other BSD and UNIX/UNIX-like 2 1st June 2008 04:14 PM


All times are GMT. The time now is 05:54 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick