User: Password:
|
|
Subscribe / Log in / New account

Distributions

News and Editorials

OpenBSD 3.5: a peek at another free Unix

May 5, 2004

This article was contributed by Ladislav Bodnar

After reading LWN's recent coverage of SELinux and its implementation in the development releases of Fedora Core 2, several readers expressed disappointment about the complexity associated with this new security model: "SELinux may give administrators extra flexibility, and add some extra 'layers' of protection for critical files, but security pros usually consider complexity to be the enemy of good security - and this system is nothing if not complex," wrote one reader. Still, with several attacks on high-profile Linux servers during 2003, many system administrators are evaluating various security solutions for their mission-critical servers and firewalls. Those of them who are prepared to look beyond Linux might find that OpenBSD is exactly what they need.

Initiated by Theo de Raadt back in 1996, OpenBSD's primary goal is to build a free and highly secure operating system. The developers pride themselves for a remarkable achievement of eight years with only a single remote hole in the default install. Although OpenBSD doesn't support nearly as many processor architectures as NetBSD, its original parent, the latest release of OpenBSD is available for 13 platforms, including Alpha, AMD64, PowerPC, SPARC, as well as i386. But despite fundamental technical differences between Linux and BSD, a system administrator familiar with Linux will find it relatively easy to administer an OpenBSD box, especially after reading the project's online manual (which includes a section about migrating from Linux to OpenBSD), or the superb Absolute OpenBSD by Michael W. Lucas.

How is security in OpenBSD better than in other UNIXes? Let's take a look at some of the more interesting features found this BSD flavor: file flags, securelevels and systrace.

  • File flags. File flags are an OpenBSD concept enhancing the traditional UNIX file system permissions. Once applied to a file, the flag will either prevent a user, including root, from removing or modifying the file in any way (the schg flag), or will only allow appending new lines to the file (the sappnd flag). A good example of the effectiveness of this concept is making the the entire /bin directory recursively immutable with the schg flag; once applied, it will be very hard for an attacker to place a trojan into the directory. On the other hand, the append-only sappnd flag is often used on log files to prevent potential intruders from covering their tracks. Besides system-level flags available to root only, similarly structured user-level flags allow users to set append-only or immutable flags on files they own.

  • Securelevels. The concept of file flags works in conjunction with OpenBSD's securelevels, of which there are four: -1, 0, 1 and 2. As soon as a file flag is set, it cannot be removed unless the system is in securelevel 0 or -1. To extend the example from the previous paragraph about making the /bin directory immutable, what happens if an executable file in the same directory needs to get a security patch, but the system is in securelevel 1 or 2? In this case, the system administrator will have to lower the securelevel in the BSD kernel by rebooting the system (while the system is running, the securelevel can be raised, but not lowered). As this example illustrates, the introduction of securelevels can prevent some common security exploits, but as a trade-off, it makes the system less flexible, especially when it comes to patching or upgrading applications.

  • Systrace. OpenBSD's systrace, a policy-based system call access manager, is conceptually similar to SELinux. Like SELinux policies, the systrace policies define which users and programs can access which files and devices in a manner completely independent of UNIX permissions. Proper use of systrace can greatly reduce risks associated with poorly written or exploitable applications. While defining systrace policies is not a simple task, it has been made more palatable by the fact that systrace has been around for a long time and there are many online repositories with systrace sample policies (see the interestingly named Project Hairy Eyeball as an example). Also, systrace includes a policy-generation tool listing every system call available to the application for which the policy is being generated. Although an experienced system administrator could probably still tighten the security of the system by refining the default policy generated by the tool, the defaults are often secure enough for most uses.
OpenBSD 3.5 was released last weekend, following a predictable twice-a-year release pattern. As always, the complete ISO image sets of OpenBSD releases are only available from the project's online store ($40), but the operating system can be installed directly from FTP servers, after booting from a downloadable boot CD or floppy disk. Unlike the FreeBSD installer, OpenBSD does not provide any recommended partitioning scheme, so it is up to the users to set up disk partitions according to their needs. Needless to say, the installer is all text mode, but OpenBSD can serve as a full graphical desktop system as well; besides the rich ports collection available for our compiling pleasure, it also comes with over 2,300 binary applications, including XFree86 4.4, GNOME 2.4 and KDE 3.2, just to name a few desktop components, among the usual range of server software for every purpose.

In many ways, OpenBSD is one of the most remarkable projects in the history of UNIX. With support for 13 architectures and its emphasis on security and integrated cryptography, any system administrator that overlooks OpenBSD where server security is of paramount importance is not doing a proper job. Even if most of us prefer to run Linux on our servers and desktop, there is no doubt that OpenBSD has a rightful place in the OS ecosystem, and a rightful place in every UNIX sysadmin's toolbox.

Comments (17 posted)

Distribution News

OpenBSD 3.5 released

OpenBSD 3.5 is available; click below for the release announcement. This version includes, of course, more security work, along with x86_64 support, ARM support, a number of new device drivers, a reworked packet filter, and much more; see the announcement for details.

Full Story (comments: 7)

Mandrake Linux

MandrakeSoft has announced the release of Mandrakelinux 10.0 for the x86_64 architecture. "Mandrakelinux 10.0 for AMD64 delivers all the features and robustness of Mandrakelinux 10.0 Official to the 64-bit platform from AMD, with an average performance gain of 20% compared to the IA32 version."

Mandrakelinux 10.0 update advisories:

  • rpmdrake: When MandrakeUpdate was unable to retrieve the hdlist or the synthesis file from an update medium, it used to continue without alerting the user. Now MandrakeUpdate will alert the user and indicate to them to retry the operation later or to delete and re-add the medium in case the directory layout has changed.
  • shorewall: This new version of shorewall provides updated RFC1918 and bogons files that are needed for proper operation of the firewall.

Comments (2 posted)

Debian GNU/Linux

The Debian Weekly News for May 4, 2004 is out. This week's topics include the discussions about releasing sarge in light of recent editorial changes to the social contract and the proposed amendments that have followed; a short howto on installing Debian stable using Knoppix; and several others.

The Debian-Installer team has announced the fourth beta release of the Debian sarge installer. Improvements in this release include support for arm, hppa, and mipsel architectures bringing the total up to nine supported architectures; experimental support for the 2.6 kernel on i386; detection of existing operating systems; new translations; plus many bug fixes and user interface improvements.

This Bits from the DPL (Debian and OASIS) features a report from Mark Johnson, Debian's representative at OASIS (Organization for the Advancement of Structured Information Standards). "Through our membership we have direct influence into the process of standards development. This benefit has proved particularly beneficial in the development of the XML Catalogs specification. During a key period of work on this specification, two of the seven committee members were from the Debian project. As a result, the final specification will be more easily implementable on Debian than it otherwise might've been."

A DebConf4 schedule has been posted. A small budget was found to provide needy Debian developers with some help for their DebConf travel expenses.

Here's a brief guide on Migrating to Linux Kernel 2.6 in Debian. (Found on Debian Planet)

Comments (none posted)

Security Takes Lead in Red Hat Enterprise Linux

Red Hat, Inc. has announced a two-year roadmap for security in Red Hat Enterprise Linux. This press release highlights the work done by Red Hat to achieve government security standards, security certifications and with the NSA-developed SELinux.

Comments (none posted)

Revealed: how Fedora and the community interact

Since the announcement of the Fedora project, many developers in the community have wondered just how they can participate in this project and influence its direction. For the most part they are still wondering. For your amusement, we recommend reading the following transcript, unearthed by Konstantin Ryabitsev and posted to fedora-devel, which describes those interactions in detail.

Full Story (comments: 50)

Gentoo Weekly Newsletter - Volume 3, Issue 18

The Gentoo Weekly Newsletter for the week of May 3, 2004 is out. This week's topics include an article by Grant Goodyear on Daniel Robbins' contribution to Gentoo, an article by Bryan Ostergaard on the tenth BugDay, and more.

Full Story (comments: none)

Slackware Linux

Slackware current has upgraded Xrender to 0.8.4 and Xcursor to 1.1.2 in XFree86 4.4.0, and qt-3.3.2 and x11-devel-6.7.0 are now in testing. There were also several security issues fixed in both -stable and -current.

Comments (none posted)

New Distributions

APAWS Linux with Gallery

APAWS Linux with Gallery is a customized mini Linux distribution that runs mostly in RAM and includes everything you need to run a personal photo repository using Gallery. It is about 40MB in size and is configured with defaults to let you upload photos straight after booting it. A demo version of APAWS 1.0.0, that runs on Windows 2000 or XP, became available May 4, 2004.

Comments (none posted)

ariane

ariane is a console-only Linux system. It boots from CD-ROM into RAM and does not require a hard disk. It can also be booted from PXE or USB. It can be used for everything a minimal Linux system could be used for. ariane joins the list at version 434/51, released May 1, 2004.

Comments (none posted)

Ewrt

Ewrt is a Linux distribution for the Linksys WRT54G that was forked from the Linksys and Sveasoft code bases. It is designed to meet the needs of open wireless network operators by providing a captive portal based on NoCatSplash and large-scale management functionality on a stable and low-cost platform. The first public release, version 0.2 beta1, became available April 27, 2004.

Comments (none posted)

tinysofa

tinysofa is an enterprise grade operating system based on the Linux kernel. Optimized for i586 and up, tinysofa aims to be stable, secure, well-supported, easily managed and free. Trustix Secure Linux was used as a base for tinysofa. Version 1.0 was released April 29, 2004. (Thanks to Joe Klemmer)

Comments (none posted)

Tkfp Live ISO! Uploaded to Sourceforge (LinuxMedNews)

LinuxMedNews reports the release of a Tkfp Live! .iso image file. This bootable CD contains a configured and working copy of Tkfp running on Slackware 9.0 using WindowMaker as the window manager. Tkfp is an electronic medical record information system suitable for a solo or small group Physician's office for storing clinical information on patients.

Comments (none posted)

Minor distribution updates

Astaro Security Linux

Astaro Security Linux has released v5.004 with major bugfixes. "Changes: This Up2Date added functionality to configure the WebAdmin packetfilter logging. It also fixed a DHCP client issue, a DSL reconnect problem, and a POP3 mail retrieving/deleting issue with Outlook Express 6, and corrected problems where the WebAdmin clock always showed GMT, the HTTP proxy restarted too often, and that WebAdmin needed a lot of RAM for large packetfilter rulesets."

Comments (none posted)

Aurox Linux

Aurox Linux has released v9.3.1 with minor bugfixes. "Changes: This version is an update release. Some bugs that were found in 9.3 were fixed. The distribution is contained in only two CDs, and it lacks localizations in languages other than English and Polish. The packages of this release are also available via FTP (yum and apt-get)."

Comments (none posted)

BasicLinux

BasicLinux has released v3.20 with major feature enhancements. "Changes: Several enhancements for old laptops, including PCMCIA capability and MagicPoint (similar to PowerPoint)."

Comments (none posted)

Buffalo Linux

Buffalo Linux has released v1.2.1 with minor feature enhancements. "Changes: Ximian Evolution (in the GNOME bundle), GIMP 2.0.1, MySQL 4.0.18, and a Buffalo version of 'swaret-1.6.2' are included. This release includes 55 minor package upgrades to synchronize with Slackware-Current (as of 24 Apr 2004). A 56MB upgrade (upgrade-1.2.1-buff-1.bz2) from 1.2.0 to 1.2.1 is available."

Comments (none posted)

Feather Linux

Feather Linux has released v0.4.1 with major feature enhancements. "Changes: The list of documentation was updated, and the scripts were organized. bcrypt and xmms-cdread were added. Scripts were added to download Audacity and to remove the dpkg structure. A serial mouse option was added to X setup. Monkey was updated to 0.8.2, and the daemon script was changed accordingly. Memory checks were added to some scripts. An error with /opt on bootup was fixed. The dillo homepage was changed. The "xdef" boot option was added. XCDRoast was replaced with Gcombust. libpcap and tcpdump were added. wdict was updated."

Comments (none posted)

Fli4l

Fli4l (Floppy ISDN/DSL) has released v2.1.7 with minor feature enhancements. "Changes: Kernel 2.4.26 and uClibc 0.9.26 are now used. The RAM disks were replaced by tmpfs. The SSHD now supports TCP forwarding once again. Multiple W-LAN cards are supported, and WEP keys can be entered in a Windows-compatible form. raw-up/raw-down scripts similar to ip-up/ip-down were provided for raw ISDN circuits, and some minor fixes and changes were made."

Comments (none posted)

Franki/Earlgrey Linux

Franki/Earlgrey Linux has released v0.4.11pre1 with minor feature enhancements. "Changes: This disk release is built with latest Scripts (0.4.11) and previews changes in the forthcoming release's init scripts (in particular, a mount point for UMSDOS-formatted floppies in addition to VFAT)."

Comments (none posted)

Linux From Scratch

Linux From Scratch has released v5.1-pre2.

Comments (none posted)

Linux LiveCD

Linux LiveCD has released v1.9.3 with minor bugfixes. "Changes: This release has a new Webmin Web interface (version 1.140), new Web modules for network configuration and log rotation, and an ndiswrapper driver to use wifi Windows drivers in /opt/drivers. There are minor dbdif config bugfixes."

Comments (none posted)

Linux Netwosix Call for participation

Linux Netwosix is seeking additional developers to help maintain and improve its security oriented distribution.

Full Story (comments: none)

Sentry Firewall

Sentry Firewall has released v1.5.0-rc12 with major security fixes. "Changes: The Linux kernel was updated to version 2.4.26-ow1. The vsftp and SUSE Proxy-Suite (ftp-proxy) packages were added, and Snort was updated to version 2.1.2. There were also several changes to the rc.inet2 init script, and rc.inet2.conf was added."

Comments (none posted)

Trustix Secure Linux

Trustix Secure Linux has a bug fix advisory for apache, cyrus-imapd, fcron, libpcap, and squid. Updated packages are available for TSL 2.1 and TSEL 2.

Full Story (comments: none)

Distribution reviews

College Linux 2.5 Reviewed (Mad Penguin)

Here's a Mad Penguin review of College Linux 2.5. "With a simple setup of username/password at configuration time, Apache, MySQL, PHP, Webmin, SQLite, and phpmyadmin have been installed and configured. This is something that I always set up when I install a new distribution, and it always takes more time than I expect it to (and a lot more time than I'd like it to). College Linux did all the hard work for me, and it was clear sailing for development from that point. I can't stress enough how useful this is to me (and many others) - web development is a very common practice among people who use Linux, especially college students. This, coupled with the inclusion of Quanta Plus, makes a complete web development environment simple for anyone."

Comments (none posted)

Getting Linux into Windows (P2P.net)

P2P.net takes a look at Turbolinux 10 F, especially its ability to read Windows Media files its Apple iPod player support. "Among Linux distributors as Linspire (ex-Lindows) or Xandros Inc, Turbolinux emerges as the first to ship a media player that accepts proprietary formats."

Comments (none posted)

Page editor: Rebecca Sobol
Next page: Development>>


Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds