Like, AWS' IAM for the single server.
I recall some ten years ago DAC vs MAC was a frequently debated topic, nowadays seems nobody talks about it, not sure if because trustedbsd/selinux/apparmor didn't deliver on the promises or anything else.
In fact that is why you even nowadays see "SELinux must be disabled" in application manuals. The early SELinux iterations really broke all the applications, and many people never took a second look at the technology. 9/10 of the application vendors that recommend disabling SELinux really don't do anything that would hit a targeted policy - the SELinux is already practically disabled for them. They just destroy the protection for the other software in the system...
Most common tweaking tasks can be found from booleans, and extra tweaks are easy to accomplish the help of audit2allow. However it baffles me to notice that audit2allow is not part of the default installations. It is a life saver that makes finding out why SELinux doesn't allow something really fast and easy.
For example, while DragonFly BSD does not tout security as a strong point yet, I have been keeping an eye on them and am very impressed with some of the things they are doing and how they go about it. (http://www.dragonflybsd.org/docs/newhandbook/Security/)
I also have gotten tired of pam/selinux on linux, but have been running Alpine linux with grsec and am impressed at the default install level of security, and would like to possible see alpine put up against openbsd.
Minix 3 is too immature at the moment but I think pretty soon they are going to be at the level where they need to start thinking about security as well.
Anecdotal I know and I don't have specific model information in front of me at the moment but, at least in my case, I found OpenBSD to be the best choice for these laptops simply because when I finished installing, everything Just Worked.
Oh, and they sleep properly too...
I'd like to run OpenBSD on my servers, but acquiring the dozen or so machines I need for service separation is just not cost effective or resource efficient.
I've used Linux for years and am only recently checking out BSD so I just kept Debian around for most of my servers.
I do like the new, very simple, httpd in OpenBSD though, been playing with that a lot lately.
The x86 landscape has changed a bit between that post and the recent video linked upthread, though (e.g. addition of a bunch of hardware protection instructions aimed at virtualization), which might have led him to reevaluate.
OpenBSD works quite well as a daily use OS.
Of course that there are some wi-fi devices that require blobs, and I'm glad OpenBSD do not support these. However, I learned that no support at all is better than half support of some crap drivers.
This is a misconception.
Sure, I would be very happy to use it as my desktop. Even donated for them. But it needs more time to adopt more tools at the very least for broader adoption.
Really, anything I've used Linux for on servers I've been able to replicate on OpenBSD... I don't feel like everything is automatically more secure just because I'm using OpenBSD but it's simplicity with regards to package management and system configuration does help me understand just about everything running on the system which, IMHO, does lead to better security.
I'm doing web development for the last 4 years and programming for almost 2. My desktop and laptop have only OpenBSD as an OS.
What do I miss?.. apart from some more recent games (which is the reason I have a console), nothing. ;)
As for hardware problems? Well, if you want to run some new (for you) OS without doing some homework (will it run? what problems are unresolved for X hardware? what hardware do I already own? will it cause problems?) you're out of luck even with Linux in some cases.
Hell, even my x41 single core laptop can play 1080p video files.
: also, upgrade process => ~3-7mins (depending on hardware). Can't beat that. :)
OpenBSD pioneers a lot of security research and best practices but I think many people get misled by all the hand waving and subsequently have more faith in certain features and less knowledge. I'm a victim myself.
As an example, I recently brought up W^X and wanted to know what the status / stance was and was met with a healthy dose of skepticism. As I was told, "W^X is very useful for debugging but not for security as the kernel has a read-write 1:1 map of all physical memory... you can still write to memory that will later be executed, you just have to use a different address" (not a direct quote) This was completely new information to me that nobody seems to talk about.
Likewise when I asked about securelevel=1 -- I was met with "securelevel is more likely to be removed entirely than enabled by default ... not convincing because there's no coherent model ... easy to work around as an attacker unless the system is very, very carefully configured, which means it's locked down beyond usability for most configurations ... though it's useful for jails since you can still do maintenance from the jailhost"
tl;dr I think the FreeBSD devs who can call the shots are more interested in ASLR and pushing Capsicum hard.
edit: would this prevent you from being able to support 1GB pages?
edit: ... and if we did decide, in the future, to take advantage of 1GB page support in the direct map, I'd probably just break out the kernel area separately and continue to map it with 2MB pages.
Probably others, but some of the discussion: https://lists.freebsd.org/pipermail/freebsd-hackers/2014-Nov...
Feel free to point them at the link mlarkin himself has posted here.
I believe jails is a philosophical issue, it is very hard to show that it actually provides isolation.
Indeed. In theory, the kernel runs at a security/isolation level above root, but in practice root can often subvert it.
That said, OpenBSD also offers rdomains, which aren't quite jails but provide a somewhat similar degree of network separation.
2) This is the one time I really, really wish there was an interviewer not from the FreeBSD / PC-BSD project. I really wanted a follow-up question to this one.
BSD Now and bsdtalk are the two podcasts I look forward to each week.
No. Don't bother. The only BSD that has a security edge over linux is OpenBSD and you're probably not happy to lose the performance (and often hardware support) it would entail. It's also lacking a lot of the platform management linux systems have (package management stone ages - you won't have fun upgrading it).
It's great for critical systems, though. It's just the majority of the time I'm not willing to give up the niceties I would have to.