# Hardened Free- vs. OpenBSD



## ikbendeman (Nov 1, 2018)

Not that I'll get an objective answer on here, but OpenBSD folks always tout their OS's better security, though I've known certain claims to be false, or misrepresented, over the years. Anyone here well proficient with both think they can give a somewhat objective opinion? Obviously, FreeBSD has more ports and market share, so greater attack surface but that and default settings aside, is it not possible to run FreeBSD to almost the same standard?


----------



## Cthulhux (Nov 1, 2018)

No, it's not.

Also, check the HardenedBSD website:
http://hardenedbsd.org/content/easy-feature-comparison


----------



## ikbendeman (Nov 1, 2018)

It's within forum regs, and it's not technical support. I don't want a battle. Thanks Cthulhux. drhowarddrfine I know where you're coming from, but that's why it's in off-topic. If the admins have a problem, they can rightfully pull.


----------



## ShelLuser (Nov 1, 2018)

This question is pretty much meaningless in my opinion. It's not the OS which keeps you (un)safe, it's the person(s) managing it and the way it's being managed that will make a difference.


----------



## drhowarddrfine (Nov 1, 2018)

ikbendeman I originally thought you were only asking about HardenedBSD which is why I deleted my comment. However, the link I pointed to mentioned "technical / support" not "tech support" so technical questions about other operating systems are not allowed.


----------



## rigoletto@ (Nov 1, 2018)

I'm not saying OpenBSD is not very secure (same about HardenedBSD), but we are in 2018 and I think anyone advertising they make the 'most secure OS in the world' should do it, at very minimum, with some formal proofs attached. Example: seL4 or MirageOS.


----------



## ralphbsz (Nov 1, 2018)

ShelLuser said:


> This question is pretty much meaningless in my opinion. It's not the OS which keeps you (un)safe, it's the person(s) managing it and the way it's being managed that will make a difference.


You are not wrong, but you are also not completely right.

Even the best admin can not take a piece of junk and make it secure and functional.  If the underlying "OS" is full of holes, then the admin can just firewall it off, at which point it becomes not very useful.

Conversely, to make a good secure system, you need to start with an "OS" without holes, and in addition the admin must be careful to not make it insecure.  Even on the best OS, the admin could configure sshd to allow root login, and then use "password" as the password for the root account.

When I say "OS" above, I mean all the software that is installed on the machine.  Typically, the bulk of the holes are found in the base installation.


----------



## kpedersen (Nov 1, 2018)

I'm always interested in this but I will also be the first to admit that many people are much more knowledgeable than me when it comes to potential security flaws!

Surely if you run `sockstat` and ensure that only port 22 / sshd is listened on FreeBSD then it is pretty much just as secure as OpenBSD just with sshd running too?
It is not like an operating system can be made to listen on a port remotely just by firing packets into it.
Or are we talking about UDP / datagram stuff such as dhcp clients being vulnerable?
Most problems that I can see will be caused by "extra" software such as shoddy web browsers making random connections to anything and everything but even that is only able to gain an unprivileged user account and must escalate privileges from there to write outside a home folder.

Sloppy crap like Windows with its many pointless "user friendly" servers provide a large attack surface (such as the classic lsasss worm exploiting some stupid service) but in general UNIX-like doesn't work like this, it doesn't have pointless services on by default.

The one thing I respect about OpenBSD is that they are not afraid of keeping "old" stuff. Rather than constantly jumping to the latest version like some sort of Facebook kid, once it has been audited, it takes an extremely large number of benefits to make them update. For example their older version of Apache before they wrote an internal web server and even their Fvwm window manager is old; and why not. Who cares if I cannot easily change mouse cursors using a png file in this version, it is known to work and it avoids Linux-like daily regressions


----------



## rufwoof (Nov 1, 2018)

'Default settings' were important for me (single user desktop setup). I did start with FreeBSD, but moved over to OpenBSD as it comes pretty much configured out of the box (with FreeBSD I felt uneasy about not fully understanding whether I'd configured things 'correctly' (securely) or not). I only add mc and chromium on top of base, and chromium is now both pledged and unveiled, so in using that to view/create PDF's, play mp4's ...etc. such activities also fall under the pledge and unveil umbrella. I've set all 'others' off for all root owned setuid files and only run root commands from the console, X is purely user only. Other than those additional packages (mc/chromium) and changing the setuid's, I've left everything else configured as out of the box and feel comfortable knowing that experts way more knowledgeable than me have set those default settings soundly.


----------



## hitest (Nov 1, 2018)

I run OpenBSD and FreeBSD.  Each OS has strengths and deficits.  I do like that OpenBSD is quite secure, and PF is enabled out of the box (just add your rules).


----------



## ShelLuser (Nov 2, 2018)

ralphbsz said:


> You are not wrong, but you are also not completely right.


No, I am completely right. Especially within the OP's vague context.



ralphbsz said:


> Even the best admin can not take a piece of junk and make it secure and functional.


But they can recognize it for what it is and follow their conclusions based on that. Not to mention that "junk" within the field of IT is often within the eyes of the beholder and not to forget context. The OP gave none of this, didn't even bother to mention the intended use, only "what's better?".

One could easily assume that this is a dumb attempt at circumventing the "FreeBSD vs. Linux" rule, which is what I did,



ralphbsz said:


> If the underlying "OS" is full of holes, then the admin can just firewall it off, at which point it becomes not very useful.


That depends on context. For example: what is this OS going to be used for.



ralphbsz said:


> Conversely, to make a good secure system, you need to start with an "OS" without holes,


By definition the holes are poked by installing 3rd party software onto said OS. Am I really the only one who thought it was funny (or maybe very transparent) how the OP mentioned the ports collection to be a liable issue on FreeBSD even though OpenBSD has a ports collection of their own.

But also: how are you going to determine that this OS has no holes in the first place? You can't, by definition. Which means it's up to the admin to counter for that.

(edit): This is a debate without end and as mentioned in my first post: basically a waste of time. A tool is only as good as the tool that is using it. Plain and simple.


----------



## ralphbsz (Nov 2, 2018)

I agree that there is no real disagreement between us here.  So let's stop arguing and just go drink.


----------



## drhowarddrfine (Nov 2, 2018)

Aaaaaaaaaahhhhhhhh I think you're both full of it.


----------



## ikbendeman (Nov 3, 2018)

I was intentionally vague so as not to start a flame-war about which OS/distribution is better. I was mostly curious as to see what, specifically, was different and it appears that HardenedBSD's website cleared it up succinctly. It looks like HardenedBSD has diverged quite a bit from FreeBSD, now. Most of the stuff they used to work on would get backported to FreeBSD when that project started, if I recall correctly (which I likely do not).


----------



## ikbendeman (Nov 6, 2018)

ShelLuser You kinda just re-affirmed what I was saying a la ports.


----------

