OS Specific Footnotes - OpenBSD
D.3 SetUID/SetGID programs
Correctness and security are principal goals of OpenBSD, and accordingly
the system installs in a minimal state with secure defaults selected.
D.4 Other minimisation
Instead of giving a program SetUID or SetGID privilleges, the OpenBSD
systrace(1) utility can be used, to let the
program increase privileges only for specific system calls.
E. Secure Base OS
Note that disabling the IPv6 stack may be problematic on OpenBSD as
it is assumed to be operating.
E.1 Physical, console and boot security
On OpenBSD the "securelevel" setting (configured by setting kern.securelevel
in the file /etc/sysctl.conf)
can be given three distinct values to enforce kernel security restrictions.
After the system has booted, this securelevel can not then be lowered.
If the securelevel is raised, direct access to memory, kernel modules and
raw storage devices are denied, and other security relevant settings can
be frozen to prevent changes by all users including root. See the man
page for securelevel(7) for a full description.
On OpenBSD a local X server can still be used with a raised securelevel
so long as machdep.allowaperture=2 is also set in /etc/sysctl.conf.
This has the effect of waiving the access restriction for the first
megabyte of physical memory.
E.3.3 PAM Pluggable Authentication Modules
If it is decided to prevent easy booting into single user mode from
the console, in most cases this can be done by creating the file
/etc/boot.conf containing the single word:
See the manual page for boot(8) for details.
G. Monitoring Capability
OpenBSD does not use PAM for authentication.
For information on OpenBSD's authentication system it is recommended to read
the man pages for bsd_auth(3) and
By default, OpenBSD supplies the script /etc/security
which does some simple security checks, run daily as a cron job. Refer to the
manual page for security(8) for details.
H.1.1 Identify host firewall software
By default the OpenBSD syslogd binds a UDP socket but does not accept
incoming UDP packets. This is secure behaviour.
H.3 Network stack hardening/sysctls
OpenBSD provides an excellent host firewall in the form of pf.
This is not enabled by default. For details on configuring pf, see the documentation at:
Instead of using syncookies, OpenBSD protects from SYN floods by using
an adaptive timeout to expire old SYNs at random.