18

http://allthatiswrong.wordpress.com

I certainly don't mean to imply that OpenBSD is a horribly insecure operating system - it isn't. I do however need to highlight that OpenBSD is quite far removed from a secure operating system, and will attempt to justify this position below.

Full story »
freda's picture
Created by freda 4 years 28 weeks ago – Made popular 4 years 28 weeks ago
Category: High End   Tags:
irbis's picture

irbis

4 years 28 weeks 9 hours 54 min ago

1

Problems in the article

The article is an interesting read, but it over emphasizes some things while neglecting many others, and I'm not sure how valid many of the points actually are?

The main point of the article is that OpenBSD doesn't have a MAC (mandatory acces control) system. However, there are various ways of improving application level security, and MAC is only one of them.

MAC is an extra layer that you put on top of the operating system when you assume that the applications in themselves are not secure enough (which ideally should first be fixed in those apps themselves). It greatly increases complexity and possibility for bugs too. All the headaches of those administering, for example, SELinux systems like Fedora Linux have had because of the complexities of MAC, are a good example of that. Besides, MAC is no magical bullet that automatically secures everything once you've installed it. It has its boundaries and it usually needs a lot of management too. Besides, if your kernel is compromised, a MAC system is good for nothing as the attacker could then simply turn the MAC off from the kernel.

However, OpenBSD takes another kind of approach to increasing application level security: they try to enforce similar kind of security measures in the programs and software itself, by tweaking and patching programs, fixing potential security bugs etc. Many essential parts and packages in OpenBSD already achieve similar kind of security and access restrictions (to a MAC based system), and with much less complexity too. Although there could always be more that OpenBSD - or any other system - could do to improve security, the OpenBSD way of doing it seems basically the right way to do it, instead of extra layers and adding complexity you try to fix the actual problems. As far as that is not enough, maybe a MAC on top of the system could help too - if it won't make the system so complicated that only an IT professional with a doctoral university degree in IT can administer it properly.