Secure Architectures with OpenBSD: With OpenBSD - Softcover

Brandon Palmer is a member of Crimelabs Security Research Group, a think tank and consulting firm, and has performed security audits and penetration testing for networks and systems.

Jose Nazario is a senior software engineer at Arbor Networks, an Internet security company. As a member of the OpenBSD project, he has written ports, made bug notes, and contributed to the code. Jose also runs the community forum at www.deadly.org and serves as a consultant and researcher at Crimelabs Security Research Group.

Chapter 1: Introduction

The OpenBSD operating system (OS) is a secure, stable, and powerful operating system that is attracting many new and old UNIX users to it. The OS is well designed for both workstation and server use. OpenBSD supports many mainstream applications and also offers great hardware support. Because OpenBSD doesn't face many of the business pressures to increase sales and employ trendy gimmicks that Linux and other BSD systems have to deal with, it is able to be designed on technical merit. This means that while the system works very well, it isn't targeted at the user who wants to be able to "point and click" and not read the documentation. This book is written to help new users understand the features of the OpenBSD system and to give more seasoned users the education to fully exploit all that OpenBSD has to offer.

OpenBSD came into existence on October 18, 1995, at 08:37 when Theo de Raadt committed the first branch into the CVS server from the NetBSD tree. The first release, OpenBSD2.0, became available in autumn 1996. Release dates have been every six months since then, with the most recent version, 3.4, being released on November 1, 2003.

There are no firm numbers on a user base for OpenBSD. Even though CD sales could give an estimate, CDs are used to install only some systems. A huge number of installations are done over the Internet. The user base is, however, "pretty incredible," says Theo.

1.1 What Will This Book Cover?

This book will cover the hardware that most users will be faced with, and some notes about other hardware they may not encounter. The i386 architecture is used for most of the examples as that is where most users first encounter it. Note, however, that OpenBSD works almost the same on all architectures.

The book is broken down into the following sections:

• Introduction This chapter.
• Overview of OpenBSD A quick overview of what OpenBSD is and some of its main features.
• Installation A walkthrough of an installation detailing what various options mean, why one should make certain decisions, and what's really happening in the background. This up-to-date discussion applies specifically to the OpenBSD 3.4 installation, but also to most other versions.
• Basic Use Basic system usage and some of the major usage differences between OpenBSD and other UNIX systems.
• Basic Default Services Usage and management of services that run by default on a freshly installed system.
• Online Help Resources Descriptions of the "man," GNU Info, and "perldoc" facilities for online help.
• X Window System Information regarding the XWindow system on an OpenBSD host.
• User Administration Addition and deletion of users and management of the space that these users will work in.
• Networking Setting up basic networking, advanced networking topics, and bridging.
• inetd Function and configuration of services that are run from inetd.
• Other Installed Services Additional information about services that are installed on a default system, but not enabled on start-up.
• Precompiled Third-Party Software: Packages Use of the precompiled packages that are available for OpenBSD.
• The Ports Tree: Third-Party Software from Source Use of the ports tree and compiling applications from source.
• Disks and Filesystems The creation and care of filesystems and disk devices.
• Backup Utilities Tools and techniques for system backup.
• Housekeeping Regular system housekeeping chores.
• Mail Server Operations SMTP services in OpenBSD.
• The Domain Name Services The domain name system setup and use.
• Web Servers with Apache Web services with the Apache and mod ssl servers.
• OpenSSH The OpenBSD secure shell daemon and client.
• The OpenBSD Development Environment Languages and software development tools.
• Packet Filtering and NAT Using OpenBSD as a firewall and setting up systems to do NAT (Network Address Translation).
• NFS: The Network Filesystem Setting up and using an OpenBSD NFS server and client.
• NIS and YP Services Configuration of an NIS server and clients.
• Kerberos Configuration and operation of OpenBSD as a Kerberos V client and server.
• Authentication Methods The numerous login methods for OpenBSD, including S/Key.
• IPsec: Security at the IP Layer Configuring an OpenBSD client and gateway for secure IP networking.
• IP Version 6 (IPv6) Overview of how OpenBSD is able to use IPv6 and basic usage in normal activities.
• Systrace A system call policy mechanism, which can safely limit the actions of any application on an OpenBSD system.
• Network Intrusion Detection While not a standard part of OpenBSD, use of tools in the ports tree to allow OpenBSD to be used as a network security monitor.
• Upgrading Upgrading an OpenBSD system.
• Kernel Compilation The GENERIC kernel, the few reasons to compile a new kernel, and tweaks to the kernel without compilation.
• Bug Reports with OpenBSD Checking for and reporting system bugs.
• CVS Basics Use of CVS on OpenBSD to access the kernel source and for system deployment.
• Applying Source Code Patches Ways to apply system and application patches.
• Tuning the Kernel with sysctl Tunable kernel parameters.
• A dmesg Walkthrough Information available from dmesg and how it applies to system use.
• Core File Evaluation Evaluation of core files from system and application crashes.
• Other OpenBSD Tools and Resources Documentation reference for OpenBSD and other sources of information.
• IPsec m4 m4 processing scripts for the IPv6 chapter.

During the preparation of this book, a friend who was reviewing the table of contents asked me, "Where is the chapter on security?" Just as in OpenBSD, security is everywhere. We sprinkle it in almost every chapter, because this is how security is best done. A chapter or two at the end of a book simply cannot demonstrate how OpenBSD has integrated security into almost every facet of the system.

1.2 Whom Is This Book For?

This book targets both the user who is new to OpenBSD and the user who has been using the system for a while. It is not intended to be a beginner's guide; it presumes that the user knows UNIX and is moving to OpenBSD or looking to expand his or her knowledge base. In addition, given that networking is a core function of any OpenBSD system, having a basic understanding of networking is important. This book will not cover the specifics of editors like vi or emacs; the user is expected to be able to edit his or her own files. Finally, this book concentrates on the use of server-end tools; it will not cover the clients being used to access these services, except in terms of how that might change decisions during server configuration.

The first section of the book can probably be skimmed by experienced and savvy UNIX administrators, but many will want to read these chapters in depth. These chapters include the basics of the layout of the OpenBSD system and its installation.