Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Books Media Operating Systems Software Book Reviews BSD

Secure Architectures with OpenBSD 90

ubiquitin writes "Existence of the Secure Architectures with OpenBSD text was first made public on the OpenBSD Journal in early April 2004. The OpenBSD Journal, also known as deadly.org and now undeadly.org, recently changed hands from James Phillips to Daniel Hartmeier amid several more or less obscure references to Pogues lyrics. The peaceful transfer of the site is a good thing, as it means that the several-hundred articles posted to the journal will remain in publicly-accessible archives for the foreseeable future and the occasion gave Hartmeier, known for his development of packet filtering (pf) and network DVD playing (kissd) software, a reason to try his hand at building a content management system. Jose Nazario is both an author of the book under review here and a contributor to the OpenBSD Journal web site, which seems to be a watering hole for unix hackers, having something of the flavor that Slashdot had in the late nineties." (Jose is also an occasional Slashdot book reviewer, and a good cook.) Read on for the rest of ubiquitin's review.
Secure Architectures with OpenBSD
author Brandon Palmer, Jose Nazario
pages 515
publisher Addison Wesley Professional
rating 9/10
reviewer Mathew Caughron
ISBN 0321193660
summary Overview of BSD systems administration practices

The godfather of OpenBSD, Theo De Raadt, was given space on the cover for a snarky comment, his blessing apparently, that the book "works in tandem with OpenBSD's manual pages. As a result it will help many users grow..."

This comment is apropos, since the OpenBSD man pages, beginning with man afterboot, are some of the best getting-started OS documentation available anywhere on the net. So it is perhaps fair that a certain justification be offered for texts on this topic. This book gives many example configurations, some shell scripts, and an organizational approach that are simply beyond what one can realistically expect from the online manual pages. So yes, Theo, this book is destined to help mere mortals grow in knowledge and skill.

One nice feature of this book is that its authors refer to Linux equivalents where appropriate, e.g., in terms of configuration and system file locations and names. This makes it an ideal text for a Linux sysadmin who wants to take OpenBSD for a test drive on the public network. Two chapters covering the OpenBSD packet filter (pf) and IPSec are the gems of this text and even advanced Linux users will likely benefit from alternative approaches to solving the same problems in the alternate universe of a different operating system.

The Start-Up and Shutdown chapter has a careful and complete walk-through of /etc/rc, the equivalent of Linux's inittab. I found this to be a useful part of the book, because the various parts of this script are not always obvious from a first read through of the shell commands. Palmer and Nazario break it down into 41 sections, each with a discrete purpose. After running through the primary boot process run commands script, a brief explanation is given of each of the seven default OpenBSD processes.

Although a close examination of a minimalistic OS setup shouldn't be foreign to any mildly accomplished sysadmin, even those of the Microsoft camp, reviewing exactly what it is that the process list tells you is always a worthwhile exercise.

Like other opera omnia, the work falls into three parts, in this case: I. Getting Started, II. Configuration and Administration, and III. Advanced Features. The index and contents occupy only 25 or so pages out of the total 500 and will readily direct the casual reader into an appropriate chapter of her choice. The index entry for chroot, for instance, will direct the reader to the section on the most commonly encountered chroot issue: dynamic content generation under apache.

Coverage of the X Window System is as minimal as it should be on a platform where the benefits derived from its use have little immediate relevance for client-side GUI applications. Mac OS X users might find the book helpful, since OpenBSD can be installed, for those willing to undergo the hassle of repartitioning, on pretty much all current hardware from Apple. Many of the recipes (apache, sshd, gdb, sudo) are directly relevant to their own Darwinian flavor. Windows users will also find various parts of this book useful, since the Services for Unix product from Microsoft/Interix is widely known to be based upon an early version of OpenBSD. Note: Microsoft here joins a very long list of BSD-license adherents in opposing the world of GPL functionality, whether this be for better or for worse. So although the audience for this text is decidedly directed at those who are taking the plunge with Puffy the Blowfish, other audiences will benefit from the insights into basic systems administration activities.

This text may also serve as potent advocacy for the systems-administration practices of BSD masters. For instance, the process of user removal from a Red Hat or Debian system versus OpenBSD's rmuser script. The lifecycle of user accounts on long-lived systems does, after all, have an end as well as a beginning, so this process deserves attention, though it may occur less frequently in growing systems it nonetheless deserves attention. Note also the detailed description of rate-limiting, packet-scrubbing, transparent filtering, and load-balancing features of the platform's packet filter. It hardly seems fair to criticize snort2pf for being immature when pf itself is a novel feature with the 3.4 openbsd kernel.

Backup and Housekeeping chapters are particularly well laid out, and include strategies, not merely howto recipes. This is an important and often-neglected body of sysadmin knowledge. The Towers of Hanoi strategy backup script that uses key-based authentication to remotely backup servers will likely be a useful tool for readers of the text who are administering a remote server that needs to have routine off-site transfer of its contents.

An explanation of how to modify the default send-only setup of sendmail starts off the chapter on mail administration. Unfortunately, there is no mention of how to set up certificates for secure IMAP or POP authentication. This is an obviously necessary part of administering an email server in which passwords are not sent in the clear and I consider it to be the most egregious omission of the book. Perhaps the authors don't see email services as a place in which BSD actively or effectively contributes. X.509 key generation is covered in the Apache section for SSL and then again under the IPSec chapter, but configuration of the popular mail serving daemons to use cryptographic authentication surely deserves a place in this text which claims "secure architectures" as its purpose.

The appendices may be worth the price of the book alone for junior sysadmins first discovering the joys of BSD. These include a walk-through of CVS basics, how to use patch and diff, kernel tuning with sysctl, how to make sense of dmesg output, and the basics of core file analysis, interpretation of RAM dumps by gdb produced at crash time. If pkg file creation were given similar treatment, it may help the *BSD package system find a broader appeal.

If you take a "hold forever" approach to your investment in books, it might be worth waiting until the second edition. Brandon Palmer indicated in a posting to the OpenBSD journal that a rewrite of the book would likely include greater coverage of spamd administration as well as BGP and some of the high-availability features in CARP. No timing on the second edition is available and it should be noted that everything in the text is appropriate for OpenBSD 3.4, i.e., the Robin Hood puffinfish, not the 3.5 Monty Python puffinfish. I'd expect that in two more release cycles, summer 2005, it will be time to ask around about an update to this text. The IPv6 chapter will likely need a dramatic rewrite by then since it gives helpful configuration parameters for a handful of the current crop of IPv6 v.6 applications. As it is, the book stands on its own: current and relevant. A year and a half is many generations of kernel compiles in Linux-land but only a few rounds of planned upgrades for the slower-paced approach of BSD admins.

Attention to documentation seems to be the distinguishing mark of a mature project. In that vein, the recent round of OpenBSD texts can be seen as an argument that the platform is destined for greater mainstream use. Listed here are a few other recent texts on OpenBSD. The most direct competitor to this text is Absolute BSD: Unix for the Practical Paranoid by Michael Lucas and Jordan Hubbard which has been available in bookstores now for more than a year. For greater detail on the packet filter, refer to Building Firewalls with OpenBSD and PF by Jacek Artymiak or OpenBSD Firewalling by Jorg Kutemeier which is so far only available in German. Brian Carter's text OpenBSD: Implementing the Secure UNIX Platform was not available to the reviewer at the time of this writing but is expectedly to be out in distribution shortly.

Daniel Hartmeier's quotation on the back cover stating that the book's organization will help you save time is right on target. Although time will tell whether this book becomes the de facto standard as a systems handbook or complete text on OpenBSD, it is a book you can confidently recommend to anyone who wants their first experience with OpenBSD to include learning the ropes of minimalistic, and therefore robust, secure server administration practices.


Postscript: Addison Wesley has made the index of the book available. You can purchase the Secure Architectures with OpenBSD from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

Secure Architectures with OpenBSD

Comments Filter:
  • ...i.e., this [acme.com].

    Hopefully they've set up throttling [acme.com]...
  • by Anonymous Coward
    I am thinking of changing from NetBSD. They can set the Internet2 landspeed record [netbsd.org] but they still have not managed to choose a new logo [netbsd.org]. This is killing me...I want to know.
  • by Anonymous Coward

    ...junior sysadmins first discovering the joys of BSD.

    I can't be the only one who read that as "...the joys of B&D, can I?

  • (Jose is also an occasional Slashdot book reviewer, and a good cook.)

    timothy knows, she made him breakfast on many occasions. ;)
  • by MonkeyCookie ( 657433 ) on Thursday May 13, 2004 @01:21PM (#9142172)

    ...having something of the flavor that Slashdot had in the late nineties.

    I'm afraid I wasn't aware of Slashdot in the late 90s; I started reading in 2001.

    How was Slashdot different in the late nineties? Would anyone care to compare the differences between then and now? I'm wondering if there were even any significant differences, or if this is just someone's misguided nostalgia.

    • How was Slashdot different in the late nineties? Would anyone care to compare the differences between then and now?

      Well, the goatse guy wasn't around to torture us, but without the help of "Display Link Domains" you had to be more careful about clicking links in comments.

      Slashdot does Archive early stories [slashdot.org].

      What I remember best about Slashdot in the late nineties is that the Linux zealots were out in force, and would gleefully mod down anything I posted just based on distaste for my .sig :)

    • Re: (Score:2, Informative)

      Comment removed based on user account deletion
    • Well, every other comment was a link to goatse.cx. And we didn't have those "In Soviet Russia" jokes. And I don't think the "*BSD is dying" trolls were around then either.

      And there were lots of articles by some "Jon Katz" fellow that were supposed to be enlightening. *shudder*

      Other than that, the same kind of drivel that fills the site today.
      • I remember the John Katz articles when I first started reading.

        All the comments for them were seething with loathing for John Katz. I remember thinking, "Who is this guy, and why does everyone hate him so much?"

        I have to admit that his articles weren't terribly interesting.
        • his job was to troll, basically... think of him as a liberal Michael Savage.... kind of like the rest of slashdot, only they were all jealous of him...
          this isn't my first nickname. i've been around since 1998.
        • All the comments for them were seething with loathing for John Katz. I remember thinking, "Who is this guy, and why does everyone hate him so much?"

          Jon Who? Oh, yeah, that overbearing twerp who not only coudn't write, but felt he had to force his social aganda down everyone's throat in a totally inappropriate forum. I never did figure out why the editors kept the guy (at least at first, later on, they kept him because the outcry generated traffic and page hits.)

          In those days, there really wasn't much a
    • Everyone thought Macs sucked.
      Lots more starry-eyed Linux advocacy.
      People took ESR seriously, always cited his Bazaar book.
      Witty trolls ruled the site, people bit on anything, no matter how ridiculous.
      Story selection, karmawhoring, BSOD jokes, crapflooding, in-jokes, and so on were about the same.
    • Want the best possible mirror of slashdot in the late 90s? Look no further--you're soaking in it [slashdot.org]. Just change the date in the URL. That particular one is from five years ago today. Works as far back as 19980101. (Actually, there are 3 stories at 19971231, which I guess is just due to time zones.)
  • by bstadil ( 7110 ) on Thursday May 13, 2004 @01:22PM (#9142180) Homepage
    Little off topic but ther is a good article [newsforge.com]about Linux emulation on NetBSD over at Newsforge
  • by Nonesuch ( 90847 ) on Thursday May 13, 2004 @01:23PM (#9142182) Homepage Journal
    Sounds like this could be useful for training up my cow-orkers.

    I encounter a broad spectrum of BSD-derived and SYSV-derived operating systems, (as well as hybrids such as Solaris), and even in going back and forth between FreeBSD and OpenBSD can bring confusion, particularly with the very different way the two handle system startup scripts.

    I would like to see somebody publish a book that does include information on using OpenBSD with X-windows as a secure desktop OS. Everybody focuses on the security of Open as a server OS for infrastructure, but it can be usable (if not user friendly, at least not user hostile) on the desktop.

    • Step 1: Install OpenBSD, make sure to select the X packages
      Step 2: Configure X
      Step 3: Install desired Desktop environment or Window Manager from packages

      I don't think that it would fill an entire chapter.
      • True enough, but it would be nice for there to be a good guide of X tips and tricks. Like making sure your qt is setup with all the plugins for kde, that you have switch and switch2 for changing gtk/gtk2 themes, that you use xset -b to turn off beeps in your terminals. Stuff like that is nice, though it is not an OpenBSD thing, I would like it more to read one OpenBSD centric document over a bunch of random guides to X that make Linux-centred assumptions.
    • by Anonymous Coward
      OpenBSD isn't quite as good on the Desktop as Linux. Sorry, but it's a fact. Why? Because all the biggest desktoppy environments and applications are largely written for and tested on Linux (and to a lesser extent FreeBSD). For whatever reason, OpenBSD sits beneath the radar of most developers. Thus the many little Linux-centric assumptions in their software result in (at best) little things not working right in OpenBSD, or at worst, software that basically doesn't work at all on OpenBSD.

      Examples:

      KDE --
  • by Anonymous Coward
    I just got the new CD yesterday, together with some stylish OpenBSD t-shirts. However, it seems to be showing up many of the problems of a monolithic kernel, namely that you have to wait for your favorite device to be built in to the kernel, or you have to build your own kernel. With a small team focused on security development, not on device drivers, this means that the kernel is definitely more limited than Linux. It seems like it would be better to get as much stuff out of the kernel as possible, so t
    • Ah yes, the eternal debate about monolithic vs modular kernels, in a slightly different guise, and a worthy topic of debate. At least this time, the minimalist microkernel has not been mentioned (yet?). Since I use Linux, OpenBSD and FreeBSD, I have seen their several approaches, they all have their limitations.

      Personally, I dislike loadable modules, although my Linux kernels are modular, there are so many errors in the kernel config scripts that if you try to build a minimalist highly-optimised kernel, inc

      • CISC is currently in fashion, but RISC will be back......

        CISC might be in fashion, but the CISC supermodels are all RISC wearing some fancy CISC frocks. ; )

        As far as I'm concerned, a big turning point for major RISC dominance over CISC, came with the Pentium Pro.

        The way I see it (not that it goes against your view), is that "CISC" is still largely "around" only due to it's unfortunate legacy in a very popular market.

        • I agree about the X386 architecture, it should have gone long ago. It would have been a good time to dump Windoze and get a decent OS as well. The OS is the main problem, not the processor architecture.

          But, as chip density increases and word size gets bigger, the CISC vs RISC situation changes. There is also the scenario that a RISC chip reaches a certain level of speed and complexity, then a CISC manages the same. They tend to chase each other, which is good for us end users, in means that both will improv

  • Hear hear! (Score:4, Interesting)

    by Power Everywhere ( 778645 ) on Thursday May 13, 2004 @01:27PM (#9142233) Homepage
    OpenBSD is an excellent operating system for running dedicated network hardware. It's fast, stable, and secure. My only two complaints are that it doesn't support PowerPC hardware, and its lack of SMP. I have a Power Mac 9600/300 dual processor box that is of no use to us in the shop but would take care of three installed boxes' network duties if I could put OpenBSD on it. I don't think that Linux or Darwin are up to the task, so the machine sits.
  • Deadly? (Score:4, Funny)

    by metlin ( 258108 ) * on Thursday May 13, 2004 @01:30PM (#9142267) Journal
    There is something prophetic about having references to deadly and undeadly in a *BSD review :-p

  • by Anonymous Coward
    Here is a nice picture [shadowclad.com] of Theo De Raadt creating *BSD.
  • What the hell? (Score:3, Informative)

    by Blakey Rat ( 99501 ) on Thursday May 13, 2004 @02:02PM (#9142701)
    "Existence of the Secure Architectures with OpenBSD text was first made public on the OpenBSD Journal in early April 2004. The OpenBSD Journal, also known as deadly.org and now undeadly.org, recently changed hands from James Phillips to Daniel Hartmeier amid several more or less obscure references to Pogues lyrics."

    What the hell? Two sentences and I'm already completely lost.
  • I have used OpenBSD since 2.8 for firewalls and I actually just finished reading this book. Though this book is a broad overview of OpenBSD, it does contain alot of useful info for both new users and experienced admins. If you havent used any of the power of OpenBSD or just a few core features like me, this book is really great to have on the shelf.
  • by Anonymous Coward
    How can you secure something with an os that is inherently insecure? OpenBSD uses SSP kernel which makes the kernels extremely vulnerable to information leaking. The problem is that with even just one information leaking problem you can get the canopy (SSP thingy) and after that you have a free pass to almost everywhere. (Go to find an other bug to exploit it too, but anyways) SSP uses fixed canopy which is extremely dangerous.

    Ok, it's just one small detail of the several hundred. But the point is, OpenBSD

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...