l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
June 4: Social gathering 		Next Installfest:
Saturday, January 26th 		Latest News:
Mar. 22: Slides from "Making Predictions Using Linux and R" talk 		Page last updated:
2001 Dec 30 17:03

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

 Report this post as spam:

(Enter your email address)
Re: [vox-tech] Re: OpenBSD and Security
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Re: OpenBSD and Security

> I don't see how this is true.  Openbsd has the same security problems
> in sendmail, named, openssh, ftpd that the rest of the distributions
> have.  Either they don't do line by line security audits of PORTS

As I mentioned in my last message, sendmail and OpenSSH are audited parts of
OpenBSD. Also, I think that ipf is better than ipchains for firewalling.

> or they miss the security holes just like the rest of the world.  Line
> by line audits help, are hardly foolproof, and many people do them.

OpenBSD has been source code audited since the summer of 1996, patching
basic software bugs and security flaws as a byproduct. Often, security
exploits in Linux reported in BugTRAQ have been fixed months earlier in
OpenBSD.

> Openbsd has something like 25 security problems with 2.7:
> http://www.openbsd.com/errata27.html

RedHat 7.0 has 42:
http://www.redhat.com/support/errata/rh7-errata-security.html

OpenBSD 2.8 has 12, and they're all fixed if you follow the patch branch:
http://www.openbsd.org/security.html

Granted, you could use RedHat update agent, but it crashes on me and I don't
like paying monthly subscription fees.

> Of those I know who take an interest in such things, they install whatever
> OS they choose, install the latest patches, turn off ALL network services,
> turn on ssh, THEN put the machine on the net.  Then they start installing/
> configuring the functionality they need, making sure it's 100% up to
> date (often distributions use slightly old versions), configuring it
> for maximum security, make sure it runs as a user with minimum privileges
> etc.

The workflow on OpenBSD is much easier: install, install patches, configure
functionality. You don't have to turn off networking services because
they're not on by default. SSH is already configured. You get an email of
your file permissions and the changes that were made to secure the system --
really, have you installed OpenBSD to compare it with a Linux installation?

> Then they take proactive measures, monitoring file checksums, tracking
> access logs, analyzing network traffic etc.

This is already setup in OpenBSD. When a file changes, root gets an e-mail
about it. Under Linux, I had to install logcheck to get similiar
functionality.

> Redhat provides MD5 checksums and CryptoSigned packages to help insure the
> integrity of a system package or binary, not that other OS's/distributions
> don't.

Cryptography is integrated throughout OpenBSD. Under Linux, I had to install
tripwire.

Anyways, to each their own.

> Bill

--Adam
LinkedIn
LUGOD Group on LinkedIn 		Sign up for LUGOD event announcements
Your email address: 		facebook
LUGOD Group on Facebook

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

 Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.