OpenBSD is fantastic
Published on 2018-03-13. Modified on 2023-10-26.
I have been running OpenBSD, a FREE, multi-platform 4.4BSD-based UNIX-like operating system, both professionally and privately since about 2004, and today I'm going to share some of my thoughts about the system.
As I was gathering my thoughts for this article I realized that it is actually quite difficult to give due credit to the developers of OpenBSD. This is because OpenBSD is quite unique and it's rather amazing. Much of its splendor hides in the details of the design and specific coding style of the developers, and as such it isn't visible on the surface. One needs to understand some of what goes on under the hood to really appreciate OpenBSD.
OpenBSD is easy and quick to install and you will be surprised at how simple and extremely well designed the system is. A lot of work goes into making everything right from the beginning, and the project is following the Unix philosophy to the letter.
OpenBSD comes with many applications in the base system ready to run, however nothing except for security features is enabled by default, you have to enable the services you need. Every configuration file follows the same style of syntax, a very human-readable syntax, and it's thus very easy to understand and setup. Every single option is well documented in the man pages and the OpenBSD project considers lacking documentation "a bug". This is something that every professional programmer should adopt.
Lacking documentation, or incorrect documentation, is just as dangerous to a running system as any other bug. The reason for that is that security issues sometimes arise from misconfiguration. If you don't know how to configure your system, how can you be sure that it isn't running in a manner that makes it easy for an attacker to compromise your system? A lot of the SPAM on the Internet origins from misconfigured mail servers that has been compromised by attackers.
Every single line of code in the operating system kernel and base system of OpenBSD gets security audited and scrutinized by the programmers, and everything is coded following a strict set of guidelines and principles that try to eliminate all the typical coding mistakes, as many security bugs are actually coding mistakes made by programmers.
But that's not all. Another thing that makes OpenBSD amazing is all the security mitigation work that actively goes into the development of the operating system and the OpenBSD developers are doing some fantastic frontier engineering in this area.
Security mitigations are techniques that help prevent attackers from running malicious code on the operating system or take advantage of security bugs or weaknesses in software.
If you're using a piece of software, say like a browser, and the browser has a security bug that is exploitable, then it is possible for an attacker to possibly gain access to your computer. How much damage the attacker can do on your computer depends on the underlying security of the operating system.
OpenBSD has a number of mitigation techniques build into the kernel and base system that makes life really difficult for an attacker. This means that it becomes much more difficult for an attacker to gain unauthorized access to your system in the first place, using the normal exploitation techniques which work on many other operating system like Microsoft Windows, Linux, Mac OS, and others. It also means that if an attacker should gain access to your system despite these mitigations, the amount of damage the attacker can do is limited and constricted.
Here is a list of some of the OpenBSD security innovations build into the operating system and enabled by default.
- Enforced W^X in the kernel on i386/amd64/sparc64.
- Enforced W^X userland as of version 6.0.
- SROP (sigreturn(2) oriented programming) mitigation by default.
- Static-PIE for self-relocating static binaries.
- Stack protector.
- Privilege dropping and separation for most of the base system as a matter of policy, new stuff doesn't get enabled without it.
- bcrypt password hashes only, with an automatically selected rounds value based on system performance.
- PIE by default for base, packages, and ports.
- C shared library re-ordering at boot time, i.e: libc.so is re-linked at boot time so objects are randomly ordered.
- System-wide sandboxing (pledge(2)) of a large percentage of the userland, incl. privileged part of the X server, most networking facing daemons included.
- arc4random(3), which backs rand(3), random(3), and drand48(3), with an audited base/ports tree. Software must opt-in to deterministic broken POSIX behavior.
The list goes on at OpenBSD Innovations
Many of these innovations have been adopted and implemented by other operating systems thanks to the work done by the OpenBSD developers.
OpenBSD is a robust and reliable operating system that you can run with minimal interaction once it is setup. It is actually the only operating system that truly enables you to sleep at night in case you're running any system critical software.
OpenBSD maintains a portable version of many parts of the base system, including:
- LibreSSL, a free implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, forked from the OpenSSL 1.0.1g branch
- OpenBGPD, a free implementation of the Border Gateway Protocol 4 (BGP-4)
- OpenOSPFD, a free implementation of the Open Shortest Path First (OSPF) routing protocol
- OpenNTPD, a simple alternative to ntp.org's Network Time Protocol (NTP) daemon
- OpenSMTPD, a free Simple Mail Transfer Protocol (SMTP) daemon with IPv4/IPv6, PAM, Maildir and virtual domains support
- httpd, an HTTP server first included in the 5.6 release
- OpenSSH, a free implementation of the Secure Shell (SSH) protocol
- OpenIKED, a free implementation of the Internet Key Exchange (IKEv2) protocol
- Common Address Redundancy Protocol (CARP), a free alternative to Cisco's patented HSRP/VRRP server redundancy protocols
- PF, an IPv4/IPv6 stateful firewall with NAT, PAT, QoS and traffic normalization support
- Unbound, a DNS validating resolver
- dhcpd, a Dynamic Host Configuration Protocol (DHCP) server
- pfsync, a firewall states synchronization protocol for PF firewall with High Availability support using CARP
- spamd, a spam filter with greylisting support designed to inter-operate with the PF firewall
- sndio, a compact audio and MIDI framework
- Xenocara, a customized X.Org build infrastructure
- cwm, a stacking window manager
- tmux virtual console multiplexer
- The X.Org Server
- Clang
- GNU Compiler Collection
- Perl
- NSD
- Ncurses
- GNU Binutils
- GNU Debugger
- Awk
All of this is in the base system of the operating system and it is a part of a standard OpenBSD installation. All the base parts of the system comes with OpenBSD-specific patches, changes and improvements for increased security.
Besides from the above OpenBSD provides, as of writing, more than 10.000 installable third party applications via the OpenBSD package manager.
Since packages from the ports collection is software from third party providers it does not go through the security audit that is performed on OpenBSD itself. Hence, the OpenBSD project does not have enough resources to ensure the same level of robustness and security with ports as they do with the base system.
OpenBSD has three branch flavors of which I run stable and current. I use the stable branch for routers and firewalls, whereas I use the current branch for desktops and servers (mainly for web development). Even though the current branch is where the active development occurs, the developers are very careful not to introduce new features that may cause the system any problems. I have run the current branch for years and have never experienced a single problem. However, as it is stated on the website, aggressive changes are sometimes pushed to the current branch, and complications can arise. The current branch is kinda equivalent to a rolling release model.
If you want a UNIX-like operating system that is both secure and easy to use, take a look at the OpenBSD project website for further information.