Australia's Leading Computer Emergency Response Team

UNIX and Linux Security Checklist v3.0 Notes - OpenBSD
Date: 13 February 2007
Original URL: http://www.auscert.org.au/render.html?cid=1937&it=5821

OS Specific footnotes - OpenBSD
OS Specific Footnotes - OpenBSD
General

Correctness and security are principal goals of OpenBSD, and accordingly the system installs in a minimal state with secure defaults selected.

D.3 SetUID/SetGID programs

Instead of giving a program SetUID or SetGID privilleges, the OpenBSD systrace(1) utility can be used, to let the program increase privileges only for specific system calls.

D.4 Other minimisation

Note that disabling the IPv6 stack may be problematic on OpenBSD as it is assumed to be operating.

E. Secure Base OS

securelevels
On OpenBSD the "securelevel" setting (configured by setting kern.securelevel in the file /etc/sysctl.conf) can be given three distinct values to enforce kernel security restrictions. After the system has booted, this securelevel can not then be lowered.

If the securelevel is raised, direct access to memory, kernel modules and raw storage devices are denied, and other security relevant settings can be frozen to prevent changes by all users including root. See the man page for securelevel(7) for a full description. On OpenBSD a local X server can still be used with a raised securelevel so long as machdep.allowaperture=2 is also set in /etc/sysctl.conf. This has the effect of waiving the access restriction for the first megabyte of physical memory.

E.1 Physical, console and boot security

If it is decided to prevent easy booting into single user mode from the console, in most cases this can be done by creating the file /etc/boot.conf containing the single word:
boot
See the manual page for boot(8) for details.

E.3.3 PAM Pluggable Authentication Modules

OpenBSD does not use PAM for authentication. For information on OpenBSD's authentication system it is recommended to read the man pages for bsd_auth(3) and /etc/login.conf.

G. Monitoring Capability

By default, OpenBSD supplies the script /etc/security which does some simple security checks, run daily as a cron job. Refer to the manual page for security(8) for details.

G.1 syslog

By default the OpenBSD syslogd binds a UDP socket but does not accept incoming UDP packets. This is secure behaviour.

H.1.1 Identify host firewall software

OpenBSD provides an excellent host firewall in the form of pf. This is not enabled by default. For details on configuring pf, see the documentation at: http://openbsd.org/faq/pf/index.html

H.3 Network stack hardening/sysctls

Syncookies:
Instead of using syncookies, OpenBSD protects from SYN floods by using an adaptive timeout to expire old SYNs at random.