FreeBSD , OpenBSD what's so good about them?

Discussion in 'all things UNIX' started by ComputerSaysNo, Feb 21, 2013.

Thread Status:
Not open for further replies.
  1. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,414
    I always see comments like OpenBSD or FreeBSD has the best security out there. I also hear that it's the best distro for servers because of security features it has as I've mentioned.

    What makes OpenBSD or FreeBSD so great? Can someone explain to me why they are so good security wise?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    http://www.openbsd.org/security.html

    OpenBSD is ok. They're all OK. When you install them they're pretty minimal, at least OpenBSD is. Limited attack surface, and significant code auditing. Of course, once you move out of their default setup, and add attack surface/ some outward service, that's no longer the case. The MAC is limited as well.

    I'd call hardened gentoo more secure, when set up properly, given the same tasks.
     
  3. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,414
    MAC?

    Why is Gentoo more secure?
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Mandatory Access Control.

    Hardened Gentoo makes use of techniques from the PaX/Grsecurity patchsets, which essentially make up the most comprehensive security techniques.
     
  5. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,414
    OK, thanks. I don't really get what MAC does, I'll give it some research.

    How is PaX/Grsecurity (I hear that Skype servers are now run with this configuration) compared to SElinux & AppArmor? Which is more secure?
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    MAC restricts an application in terms of its file access control and capabilities. SELinux and Apparmor are MAC devices.

    Pax/Grsecurity patches are a comprehensive set of changes to the Linux kernel. There are restrictions on programs and users, there are mitigation techniques (PaX invented ASLR, one of the most important mitigation techniques) far ahead of what anyone else has implemented.

    The featureset in PaX/Grsecurity is just beyond anything out there.
     
  7. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,414
    OK thanks for the info, a question: Why isn't Gentoo used more on servers if it is far more secure? All I see is CentOS, Debian & Ubuntu which have all had security weaknesses and need to be patched regularly.

    Is it just the case that Gentoo is too complex out of the box?
     
  8. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Gentoo requires too much maintenance to be suitable for server work IMHO.
    You will find Gentoo, hardened or not will still need a similar amount of patching/updates more down to the individual software installed.

    Cheers, Nick
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Gentoo is quite a pain in the ass to set up and maintain. It just so happens that you can make it secure.

    Because you compile Gentoo, you can force security flags from the compiler and harden your userland as well as your kernel. That's a big advantage for security, but a huge hindrance in every other way.
     
  10. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,438
    Apple's Mac OSX is based on open source BSD with a proprietary GUI shell called Acqua.
     
  11. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,438
    The underlying Google Chrome OS Linux base is based on Gentoo because of its security advantage. But it has its own GUI.
     
  12. OSX's BSD parts were forked a while ago though, and lack a lot of the features of more current FreeBSD versions. No jails, no MAC modules, etc.
     
  13. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Gentoo. Not at all.
    They do use the portage build system but thats like calling Redhat based on Ubuntu because it currently uses upstart !

    https://groups.google.com/forum/?fromgroups=#!topic/chromebook-central/0FHDaqHf3Hc



    http://blogs.computerworld.com/15124/liveblog_google_chrome_operating_system_arrives
    http://blog.canonical.com/2009/11/19/google-chrome-os-and-canonical/
    An entire blog post about Ubuntu
    Cheers, Nick
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Probably one of the reasons why Chrbuntu works so well.
     
  15. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    As pointed out by Spengler/grsecurity in 'SSHD rootkit rolling around'

    ' Of interesting note is that the backdoor would crash as-is with the PAX_MPROTECT feature in grsecurity enabled. If the system wasn't enforcing PaX flags with RBAC, they could just disable the feature on sshd, however. For code hooking in several locations, the region involved has its protections changed to read/write/execute -- something disallowed on a grsecurity kernel and optionally logged. The write following the RWX mprotect would fail, causing a crash of sshd.' link

    edit; Is it mainly memory protection that separates grsecurity from SElinux/AppArmor or filesystem isolation? And is it really easier than SELinux on rpm OS?
     
    Last edited: Feb 22, 2013
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Grsecurity has RBAC, and you can use Gradm to set it up. You can use it and any LSM at the same time.
     
  17. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Reading up on a wikibook on the Gradm 'Learning mode' tool, the setup/usage seems to be relatively easy.
    Not overlooking the need to patch and recompile the kernel and all that, is the Gradm 'Learning Mode' tool really as easy as the wiki page suggests?

    ' Run and use the application(s) that you normally do, several times. This is important, since the learning mode uses a threshold–based system to determine when access should be given to a file or whether it should be given to a directory.
    If four or more similar accesses are made in a single directory (such as writing to several files in /tmp), access is granted to that directory instead of the individual files.
    This reduces the amount of rules you have and ensures that the application will work correctly after the final ACLs are compiled.
    ' link
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Somewhat. Learning mode will take care of policies, but it's not like Apparmor where the policy is defined for one application. It's designed for the entire system. I believe you can do it on a per-application basis? Not sure. It's easier for servers.
     
  19. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,414
    So if one was to use Gentoo as a server, how would you configure the security around it? Anyone have a guide?

    Also would Pax/Grsecurit stop a lot of bruteforce/server hacking attemps if it was used with Fail2Ban?
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I tried playing with Gentoo. Huge pain to set up. And it'll take a long long time to maintain - that's why people don't use it.

    PaX/Grsecurity have policies to deter and prevent exploit bruteforcing. Fail2ban would work the same regardless of pax/grsecurity, it'll block annoying IPs.
     
  21. Gentoo64

    Gentoo64 Registered Member

    Joined:
    Jun 10, 2012
    Posts:
    12
    Location:
    UK
    Hardened Gentoo is pretty much no different than vanilla Gentoo to setup / maintain. I even run a desktop with maximum security everywhere, haven't even had to disable mprotect on anything.
    The GRSec / PAX options are pretty much set and forget, they prevent exploits / elevation but the RBAC takes some configuring. I like RBAC a lot, coming from trying to setup SELinux it's like a babies toy, nice syntax and a learning mode it's very easy and nice to use, but it's not really needed to have a seriously hard system. I find it a pain to maintain with RBAC keep having to tweak things, if it's a system that's not going to be touched much then it's perfect.
    I don't see what the problem at all is for a server, just the usual update procedure eix-sync ; emerge -uDNav @world ; emerge -c ; etc-update etc etc just stick it all in a basic script and run it, same for the kernel procedure.
    It does everything for you basically, nicest distro I've ever had to maintain been using it for years never had any nasty surprises with it. It's well maintained / updated, has a massive package repo, secure, fast, can customize it how you like.
    A binary distro is only slightly simpler (no USE flags, or compiling), although I don't find it takes long at all to do anything, depends how much time you have.
     
  22. Time is the killer issue there, I think. Even with a modern dual-core processor, big applications take a long time to compile. I'd rather not wait an hour or three for big packages to update and/or install, have stuff compiling continuously in the background (even at high niceness), etc. This is what got to me last time I tried out FreeBSD.

    (And FreeBSD at least gives you a base system off the bat...)

    The more I think about it, BTW, the more I'm amazed that the height of Gentoo's popularity was back around 2005-2006, when most desktops were powered by single-core Pentium 4s. Those things do a good enough job running Linux, but compiling on them is slow.
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The issue is that it's rolling release, as opposed to a distro that'll backport security fixes to known-stable/ working releases. So you get an immensely secure system, one that would be incredibly difficult to attack, but for a server environment you absolutely don't want bleeding edge software. And having to recompile every time there's an update can be a huge pain, and it can even mean downtime.

    So for a server it's a no-no.
     
  24. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    tried bsd back in early 2008, never could get my wireless card to work, even with the guys on the bsd forum trying to help me :(
     
  25. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Because Gentoo is rolling, you can't simply apply updates, they may break compatibility with the existing software, bespoke software. Redhat/centos, Debian/Ubuntu LTS only apply fixes between versions so you can be assured compatibility won't be broken.
    Gentoo can break configuration settings between updates as well package compatibility that Redhat/centos, Debian/Ubuntu won't do.

    Gentoo requires more configuration out of the box to get into a working state. Redhat/centos Debian/Ubuntu LTS have tried and tested sensible default working configurations. They are more tested (security/performance) and easier to debug.

    You can't keep generic images/builds because even a minor difference in hardware can break binary compatibility. If you want to streamline your OS build process you will do a more generic build target in which case you loosing any minor advantage to compiling your own packages you would have.

    As you have to compile a package by hand it needs to be tested to ensure stability/compatibility/security/performance, but has to be done for every hardware variant every time you build, combined with the rolling release model that’s a lot of acceptance, security, soak and performance testing that could need to be done when you offer your customers high levels of quality assurance.

    You need additional resources to do all the compiling and testing. No sane person should compile on a live server, what it it goes wrong and your temp folder fills up ?
    You need additional set of hardware to manage all the builds, which in turn have their administration overhead and then you have an additional deployment step, which needs setting up your own package management system to store and deploy those packages.

    Finally there is the lack of predictable release schedule. What if there is a big release of changes that need lots of admin resources, but you only have a skeleton crew on as you sent the rest of your guys on vacation ?
    With non-rolling distros you can plan ahead and work around. With Gentoo you need additional resources to cover this unpredictability.

    Cheers, Nick.
     
Loading...
Thread Status:
Not open for further replies.