I'm not going to get into a religous war, I don't think that's the
purpose of this list. I'll point out one aspect of Openbsd's Kernel
that I have yet to find on Linux. Remember, were talking about
security, REAL SECURITY.
Below is an excerpt from the "securelevel(7) man page from Openbsd. As
you will see, if you set level 2 the more damaging changes can not be
made to the system even if you have root privledges. This is but one
of the many security advantages openbsd has over other operating
systems and why a prudent person would use this OS in a security
critical environment.
SECURELEVEL(7) OpenBSD Reference Manual
SECURELEVEL(7)
NAME
securelevel - securelevel and its effects
SYNOPSIS
The OpenBSD kernel provides four levels of system security:
-1 Permanently insecure mode
- init(8) will not attempt to raise the securelevel
- may only be set with sysctl(8) while the system is
insecure
- otherwise identical to securelevel 0
0 Insecure mode
- used during bootstrapping and while the system is
single-user
- all devices may be read or written subject to their
permissions
- system file flags may be cleared
1 Secure mode
- default mode when system is multi-user
- securelevel may no longer be lowered except by init
- /dev/mem and /dev/kmem may not be written to
- raw disk devices of mounted file systems are read-only
- system immutable and append-only file flags may not be
removed
- kernel modules may not be loaded or unloaded
2 Highly secure mode
- all effects of securelevel 1
- raw disk devices are always read-only whether mounted or
not
- settimeofday(2) may not set the time backwards
- pfctl(8) may no longer alter filter or nat rules
- the ddb.console and ddb.panic sysctl(8) variables may
not be
raised
DESCRIPTION
Securelevel provides convenient means of ``locking down'' a system
to a
degree suited to its environment. It is normally set at boot via
the
rc.securelevel(8) script, or the superuser may raise securelevel
at any
time by modifying the kern.securelevel sysctl(8) variable.
However, only
init(8) may lower it once the system has entered secure mode. A
kernel
built with option INSECURE in the config file will default to
permanently
insecure mode.
Highly secure mode may seem Draconian, but is intended as a last
line of
defence should the superuser account be compromised. Its effects
pre-
clude circumvention of file flags by direct modification of a raw
disk
device, or erasure of a file system by means of newfs(8). Further,
it can
limit the potential damage of a compromised ``firewall'' by
prohibiting
the modification of packet filter rules. Preventing the system
clock
from being set backwards aids in post-mortem analysis and helps
ensure
the integrity of logs. Precision timekeeping is not affected
because the
clock may still be slowed.
Timothy
*********** REPLY SEPARATOR ***********
On 5/6/2002 at 10:54 PM Bill wrote:
>On Monday 06 May 2002 07:47, you wrote:
>> Hey Bill, about which BSD are you talking? Linux is good for desk
top
>> and playing around with KDE but when it comes to serious work get
out
>> the BSD. (FreeBSD for network servers and OpenBSD for security, i.e
>> Firewalls).
>>
>> Unix version loyalty is fine but don't disillusion yourself about
>> capability.
>>
>> Timothy
>
>I am running http, smtp, ftp and ntp in addition to the normal mix of
>desktop
>apps. I am at the 7,500 hits a day mark with the web server, most of
which
>are 320 x 200 graphics. This is well within my capacity. I strongly
>suspect I
>will be into a much larger pipe before I seriously challenge even the
>single
>CPU I am using.
>
>Open BSD may be more secure out of the box, but what sysad runs an
"out of
>the box" system? I know I don't ... and I am strictly small-time.
Running
>an
>"out of the box" system is the sort of behavior I expect of a
Microsoftie
>...
>not a Unix admin.
>
>Since that is an illusory advantage, perhaps you would care to
elaborate
>on
>the real advantages of Free / Open BSD over a current Linux kernel.
>
>No illusions here.
>
>Bill
>--
> 9:43pm up 76 days, 17:59, 3 users, load average: 2.07, 2.11, 2.09
>"The more I know about Microsoft, the better I like Linux."
>
> http://organic-earth.com
> Organic urban gardening. With photos.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:50:26 EDT