Slashdot Mirror

ubiquitin writes "Existence of the Secure Architectures with OpenBSD text was first made public on the OpenBSD Journal in early April 2004. The OpenBSD Journal, also known as deadly.org and now undeadly.org, recently changed hands from James Phillips to Daniel Hartmeier amid several more or less obscure references to Pogues lyrics. The peaceful transfer of the site is a good thing, as it means that the several-hundred articles posted to the journal will remain in publicly-accessible archives for the foreseeable future and the occasion gave Hartmeier, known for his development of packet filtering (pf) and network DVD playing (kissd) software, a reason to try his hand at building a content management system. Jose Nazario is both an author of the book under review here and a contributor to the OpenBSD Journal web site, which seems to be a watering hole for unix hackers, having something of the flavor that Slashdot had in the late nineties." (Jose is also an occasional Slashdot book reviewer, and a good cook.) Read on for the rest of ubiquitin's review. Secure Architectures with OpenBSD author Brandon Palmer, Jose Nazario pages 515 publisher Addison Wesley Professional rating 9/10 reviewer Mathew Caughron ISBN 0321193660 summary Overview of BSD systems administration practices

The godfather of OpenBSD, Theo De Raadt, was given space on the cover for a snarky comment, his blessing apparently, that the book "works in tandem with OpenBSD's manual pages. As a result it will help many users grow..."

This comment is apropos, since the OpenBSD man pages, beginning with man afterboot, are some of the best getting-started OS documentation available anywhere on the net. So it is perhaps fair that a certain justification be offered for texts on this topic. This book gives many example configurations, some shell scripts, and an organizational approach that are simply beyond what one can realistically expect from the online manual pages. So yes, Theo, this book is destined to help mere mortals grow in knowledge and skill.

One nice feature of this book is that its authors refer to Linux equivalents where appropriate, e.g., in terms of configuration and system file locations and names. This makes it an ideal text for a Linux sysadmin who wants to take OpenBSD for a test drive on the public network. Two chapters covering the OpenBSD packet filter (pf) and IPSec are the gems of this text and even advanced Linux users will likely benefit from alternative approaches to solving the same problems in the alternate universe of a different operating system.

The Start-Up and Shutdown chapter has a careful and complete walk-through of /etc/rc, the equivalent of Linux's inittab. I found this to be a useful part of the book, because the various parts of this script are not always obvious from a first read through of the shell commands. Palmer and Nazario break it down into 41 sections, each with a discrete purpose. After running through the primary boot process run commands script, a brief explanation is given of each of the seven default OpenBSD processes.

Although a close examination of a minimalistic OS setup shouldn't be foreign to any mildly accomplished sysadmin, even those of the Microsoft camp, reviewing exactly what it is that the process list tells you is always a worthwhile exercise.

Like other opera omnia, the work falls into three parts, in this case: I. Getting Started, II. Configuration and Administration, and III. Advanced Features. The index and contents occupy only 25 or so pages out of the total 500 and will readily direct the casual reader into an appropriate chapter of her choice. The index entry for chroot, for instance, will direct the reader to the section on the most commonly encountered chroot issue: dynamic content generation under apache.

Coverage of the X Window System is as minimal as it should be on a platform where the benefits derived from its use have little immediate relevance for client-side GUI applications. Mac OS X users might find the book helpful, since OpenBSD can be installed, for those willing to undergo the hassle of repartitioning, on pretty much all current hardware from Apple. Many of the recipes (apache, sshd, gdb, sudo) are directly relevant to their own Darwinian flavor. Windows users will also find various parts of this book useful, since the Services for Unix product from Microsoft/Interix is widely known to be based upon an early version of OpenBSD. Note: Microsoft here joins a very long list of BSD-license adherents in opposing the world of GPL functionality, whether this be for better or for worse. So although the audience for this text is decidedly directed at those who are taking the plunge with Puffy the Blowfish, other audiences will benefit from the insights into basic systems administration activities.

This text may also serve as potent advocacy for the systems-administration practices of BSD masters. For instance, the process of user removal from a Red Hat or Debian system versus OpenBSD's rmuser script. The lifecycle of user accounts on long-lived systems does, after all, have an end as well as a beginning, so this process deserves attention, though it may occur less frequently in growing systems it nonetheless deserves attention. Note also the detailed description of rate-limiting, packet-scrubbing, transparent filtering, and load-balancing features of the platform's packet filter. It hardly seems fair to criticize snort2pf for being immature when pf itself is a novel feature with the 3.4 openbsd kernel.

Backup and Housekeeping chapters are particularly well laid out, and include strategies, not merely howto recipes. This is an important and often-neglected body of sysadmin knowledge. The Towers of Hanoi strategy backup script that uses key-based authentication to remotely backup servers will likely be a useful tool for readers of the text who are administering a remote server that needs to have routine off-site transfer of its contents.

An explanation of how to modify the default send-only setup of sendmail starts off the chapter on mail administration. Unfortunately, there is no mention of how to set up certificates for secure IMAP or POP authentication. This is an obviously necessary part of administering an email server in which passwords are not sent in the clear and I consider it to be the most egregious omission of the book. Perhaps the authors don't see email services as a place in which BSD actively or effectively contributes. X.509 key generation is covered in the Apache section for SSL and then again under the IPSec chapter, but configuration of the popular mail serving daemons to use cryptographic authentication surely deserves a place in this text which claims "secure architectures" as its purpose.

The appendices may be worth the price of the book alone for junior sysadmins first discovering the joys of BSD. These include a walk-through of CVS basics, how to use patch and diff, kernel tuning with sysctl, how to make sense of dmesg output, and the basics of core file analysis, interpretation of RAM dumps by gdb produced at crash time. If pkg file creation were given similar treatment, it may help the *BSD package system find a broader appeal.

If you take a "hold forever" approach to your investment in books, it might be worth waiting until the second edition. Brandon Palmer indicated in a posting to the OpenBSD journal that a rewrite of the book would likely include greater coverage of spamd administration as well as BGP and some of the high-availability features in CARP. No timing on the second edition is available and it should be noted that everything in the text is appropriate for OpenBSD 3.4, i.e., the Robin Hood puffinfish, not the 3.5 Monty Python puffinfish. I'd expect that in two more release cycles, summer 2005, it will be time to ask around about an update to this text. The IPv6 chapter will likely need a dramatic rewrite by then since it gives helpful configuration parameters for a handful of the current crop of IPv6 v.6 applications. As it is, the book stands on its own: current and relevant. A year and a half is many generations of kernel compiles in Linux-land but only a few rounds of planned upgrades for the slower-paced approach of BSD admins.

Attention to documentation seems to be the distinguishing mark of a mature project. In that vein, the recent round of OpenBSD texts can be seen as an argument that the platform is destined for greater mainstream use. Listed here are a few other recent texts on OpenBSD. The most direct competitor to this text is Absolute BSD: Unix for the Practical Paranoid by Michael Lucas and Jordan Hubbard which has been available in bookstores now for more than a year. For greater detail on the packet filter, refer to Building Firewalls with OpenBSD and PF by Jacek Artymiak or OpenBSD Firewalling by Jorg Kutemeier which is so far only available in German. Brian Carter's text OpenBSD: Implementing the Secure UNIX Platform was not available to the reviewer at the time of this writing but is expectedly to be out in distribution shortly.

Daniel Hartmeier's quotation on the back cover stating that the book's organization will help you save time is right on target. Although time will tell whether this book becomes the de facto standard as a systems handbook or complete text on OpenBSD, it is a book you can confidently recommend to anyone who wants their first experience with OpenBSD to include learning the ropes of minimalistic, and therefore robust, secure server administration practices.

Postscript: Addison Wesley has made the index of the book available. You can purchase the Secure Architectures with OpenBSD from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

NaveWeiss writes "According to the OpenBSD Journal, major work has been done on an innovative new OpenBSD feature termed 'fuzzy user profile' intrusion detection system' - or 'fupids.' According to Steffen Wendzel, the code 'creates profiles for every user who does an execve() syscall on obsd systems.'"

skelley writes "As seen on deadly.org, OpenBSD 3.4 CDs have begin to ship. If you ordered one already, you should see a charge appear on your credit card (if that's how you paid) and you should expect to see your CD in the next few days to week (depending on where you are). The CDs are being shipped from Calgary. This is earlier than expected, but hey ... enjoy it!"

ubiquitin writes "If you use strings on Microsoft's Services for Unix (SFU) interoperability suite which was developed by Interex you find that it is largely composed of source from the OpenBSD 3.0 source tree according to a recent deadly.org article."

chill writes "Where to begin? OpenBSD Journal has a couple of update articles on the business of DARPA cancelling POSSE and OpenBSD's grant. And here is a message from Theo de Raadt, the OpenBSD big cheese, with a quote from a military spokesman. How does '...due to world events and the evolving threat posed by increasingly capable nation-states...' grab you? Does open source and freely available security support terrorism by its very nature?"

An anonymous reader writes "As seen on this article on the OpenBSDJournal, Henning, one of PF main contribuitors writes: 'After much discussion we made a hard decision: we will change pf syntax from English to German.' So, what are the implications of this? And why the change? Read on."

An anonymous reader writes "As seen on this article on the OpenBSDJournal, Henning, one of PF main contribuitors writes: 'After much discussion we made a hard decision: we will change pf syntax from English to German.' So, what are the implications of this? And why the change? Read on."

A dæmon writes "According to Daily Daemon News and The FreeBSD Diary, NetBSD, FreeBSD and GNU/OpenBSD are to be merged. Read the full story here." This is a good thing since one of the two BSDs clearly sucked, and the other was clearly superior.

CoryBenny writes "The OpenBSD project has just started taking pre-orders for its 3.3 release. This release contains the new pro-police stack protection and lots of other new features! The OpenBSD Journal are running a story here. Pre-orders can be made here and just check out their cool new t-shirts!!"

CoryBenny writes "The OpenBSD project has just started taking pre-orders for its 3.3 release. This release contains the new pro-police stack protection and lots of other new features! The OpenBSD Journal are running a story here. Pre-orders can be made here and just check out their cool new t-shirts!!"

*no comment* writes "Deadly.org has an article running that started out as a call for Seattle OpenBSD people to start a local usergroup, but has since turned into a thread for people all over the country looking for people."

*no comment* writes "Deadly.org has an article running that started out as a call for Seattle OpenBSD people to start a local usergroup, but has since turned into a thread for people all over the country looking for people."

*no comment* writes "Well with all the advancements in PF and secure code wouldn't it be nice if someone would write a book on OpenBSD??? Oh wait, someone is. A guy named Jacek Artymiak is doing just that. The OpenBSD Gazetteer is scheduled for release shortly after the release of what may be the best release ever of OpenBSD (IMHO). Vastly improved PF, ALTQ, and BIND 9 is now default, not to mention procop stack protection. Out of the box it's ready to go as a firewalling packet-filtering bandwidth-throttling machine. A thread had started to pick up over at deadly.org."

mkeke writes "In a post over at OpenBSD Journal, Theo states that he has written a spam blocker that works with pf and Spews. It looks darn cool :)"

Cajal writes "Four students at the University of Waterloo are working to add SMP support to OpenBSD as part of the Spinlocks project. More information is available in a story at the OpenBSD Journal's site. They expect to have an initial working MP kernel in January."

An anonymous reader writes "An OpenBSD book is being written and the author is looking for content suggestions to include in the book. It would be nice if the slashdot community suggested a bit or two. ;)"

DieNadel writes "As posted here, support to ProPolice was added to OpenBSD. You can check the announcement. Note that THERE ARE dependencies that should be taken care of before building a new kernel, even on -stable."

jukal writes "From here: "Hello folks, Due to the upcoming release of OpenBSD 3.2, the 3.0-STABLE branch will be out of regular maintainance starting december 1st. There will be NO MORE fixes commited to this branch after this day. People relying on 3.0-STABLE (or older releases even) are strongly advised to upgrade to a more recent release (preferrably 3.2 as it becomes available) as soon as possible. Thanks for reading, Miod" Download from your preferred FTP mirror."

*no comment* writes "deadly.org currently has a story about a new grassroot network springing up. It consists of free shell access, and is trying to revitalize the olden days of the Internet. Free speech, free information are the key features, but I wonder if this is jsut another free DDoS drone as well."

*no comment* writes "deadly.org currently has a story about a new grassroot network springing up. It consists of free shell access, and is trying to revitalize the olden days of the Internet. Free speech, free information are the key features, but I wonder if this is jsut another free DDoS drone as well."

An Anonymous Coward writes: "A new facility called 'systrace' has been developed by one of the OpenBSD developers. It allows enforcement of system call policies on untrusted binaries. For now it is only available OpenBSD-current, but the author claims it is highly portable and can easily be integrated into GNU/Linux systems. Eventually binary-only software is going to become more and more common in Linux, so this could be a another 'Good Thing(TM)' from the paranoids that brought us OpenSSH."

moonboy writes: "This post over at OpenBSD Journal tells of the r* programs (rsh, rlogin, rcopy, etc) being removed from the -current tree. Can Telnet and FTP be far behind? I say good riddance."

moonboy writes: "This post over at OpenBSD Journal tells of the r* programs (rsh, rlogin, rcopy, etc) being removed from the -current tree. Can Telnet and FTP be far behind? I say good riddance."

proclus writes: "The GNU-Darwin packages are compatible with Apple's newly released Darwin-1.4.1, and we now have Net Installation instructions for Darwin-only users. Our Bootable Installer CD is now in beta, thanks to the efforts of GNU-Darwin developer rrp. As you can see in the screenshot, our packages work fine with the XFree86 software which is now a part of Apple's Darwin distribution. We have recently packaged the latest versions of Mac OS X.1 compatible OpenSSH and XFree86. (Our older OpenSSH and XFree86 packages appear to be broken.) It is important for OS X.1 users to upgrade their OpenSSH. This is a great time to check out our other packaged offerings, which are also Darwin-1.4.1 and Mac OS X.1 compatible. OSX.1 users who are new to GNU-Darwin might like to try our new Net Installer. Just follow the OS X-specific directions at the top of the script. "

LiquidPC writes: "deadly.org has a very thorough tutorial on LKM in OpenBSD, by Patrick Werner. You can check it out here. It gives you examples on writing LKMs and tells you why using them isn't the best idea."

LiquidPC writes: "deadly.org has a very thorough tutorial on LKM in OpenBSD, by Patrick Werner. You can check it out here. It gives you examples on writing LKMs and tells you why using them isn't the best idea."