Correctness and security are principal goals of OpenBSD, and accordingly the system installs in a minimal state with secure defaults selected.
Instead of giving a program SetUID or SetGID privilleges, the OpenBSD systrace(1) utility can be used, to let the program increase privileges only for specific system calls.
Note that disabling the IPv6 stack may be problematic on OpenBSD as it is assumed to be operating.
On OpenBSD the "securelevel" setting (configured by setting kern.securelevel in the file /etc/sysctl.conf) can be given three distinct values to enforce kernel security restrictions. After the system has booted, this securelevel can not then be lowered.
If the securelevel is raised, direct access to memory, kernel modules and raw storage devices are denied, and other security relevant settings can be frozen to prevent changes by all users including root. See the man page for securelevel(7) for a full description. On OpenBSD a local X server can still be used with a raised securelevel so long as machdep.allowaperture=2 is also set in /etc/sysctl.conf. This has the effect of waiving the access restriction for the first megabyte of physical memory.
If it is decided to prevent easy booting into single user mode from
the console, in most cases this can be done by creating the file
/etc/boot.conf containing the single word:
See the manual page for boot(8) for details.
OpenBSD does not use PAM for authentication. For information on OpenBSD's authentication system it is recommended to read the man pages for bsd_auth(3) and /etc/login.conf.
By default, OpenBSD supplies the script /etc/security which does some simple security checks, run daily as a cron job. Refer to the manual page for security(8) for details.
By default the OpenBSD syslogd binds a UDP socket but does not accept incoming UDP packets. This is secure behaviour.
OpenBSD provides an excellent host firewall in the form of pf. This is not enabled by default. For details on configuring pf, see the documentation at: http://openbsd.org/faq/pf/index.html
Instead of using syncookies, OpenBSD protects from SYN floods by using an adaptive timeout to expire old SYNs at random.