🛡️ OpenBSD Security Model
OpenBSD's security model is built on the principle of "secure by default," incorporating multiple layers of protection from the kernel to user-space applications. Understanding this comprehensive approach is essential for effective security management.
🎯 Core Security Principles
Secure by Default Philosophy
OpenBSD implements security through proactive design rather than reactive fixes:
| # Default security features enabled
# - Stack protection (ProPolice)
# - Address Space Layout Randomization (ASLR)
# - W^X (Write XOR Execute) memory protection
# - Randomized malloc()
# - Privilege separation in system services
# Check current security settings
sysctl kern.securelevel # System security level
sysctl machdep.allowaperture # Direct hardware access
sysctl net.inet.ip.portrange.reservedhigh # Reserved ports
|
Exploit Mitigation Technologies
1
2
3
4
5
6
7
8
9
10
11
12
13 | # Stack protection
# Enabled by default in compiler
# ProPolice stack protector
# Memory protection
# W^X (Write XOR Execute)
# Non-executable stack and heap
# Randomized memory layout
# Process isolation
# Privilege separation
# Chroot environments
# Pledge/unveil restrictions
|
🔧 Kernel Security Features
Security Levels
OpenBSD implements a security level system that restricts certain operations:
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | # Check current security level
sysctl kern.securelevel
# Security levels:
# -1: Permanently insecure mode
# 0: Insecure mode (default at boot)
# 1: Secure mode (single-user changes disallowed)
# 2: Highly secure mode (additional restrictions)
# Increase security level
sysctl kern.securelevel=1
# Note: Security level can only be increased, not decreased
# Requires reboot to decrease
|
Memory Protection
| # W^X (Write XOR Execute) protection
# Prevents code injection attacks
sysctl machdep.wxcopy # Control W^X copying
# ASLR (Address Space Layout Randomization)
# Randomizes memory layout
sysctl kern.wxabort # Abort on W^X violations
# Stack protection
# ProPolice stack protector
# Canaries detect stack smashing
|
Device Driver Security
| # Direct hardware access control
sysctl machdep.allowaperture # Allow direct hardware access (0=disabled)
# Device driver restrictions
# Kernel modules require signatures
# Restricted device access by default
# Check device permissions
ls -l /dev/* # Most devices restricted to root
|
📋 User and Authentication Security
Password Security
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | # Strong password policies
# /etc/login.conf - login class configuration
# Default settings are quite secure
# Password aging
chpass username # Change password and aging
passwd -n 7 -x 90 -w 7 username # Min 7 days, max 90, warn 7
# Account locking
# Failed login attempts tracked
# Automatic lockout after failures
# Check password strength
passwd -s username # Show password status
|
Authentication Methods
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | # Pluggable Authentication Modules (PAM)
# /etc/pam.d/ - PAM configuration
# SSH key authentication (preferred)
# Disable password authentication
# Use key-based authentication only
# Two-factor authentication
# YubiKey support
# OTP (One Time Password) integration
# Certificate-based authentication
# SSH certificates
# X.509 certificates for services
|
User Privilege Management
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | # Principle of least privilege
# Dedicated service accounts
# Minimal permissions by default
# doas - secure privilege escalation
# /etc/doas.conf - configuration
# More secure than sudo
# Example doas.conf:
# permit persist :wheel # Allow wheel group with password
# permit nopass keepenv root # Allow root without password
# permit nopass ted as root # Allow specific user as root
# Check user privileges
id username # Show user and group IDs
groups username # Show group memberships
|
🌐 Network Security
Packet Filter (PF)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47 | # PF - OpenBSD's powerful firewall
# /etc/pf.conf - main configuration
# Basic PF rules
cat > /etc/pf.conf << 'EOF'
# Macros
ext_if="em0"
tcp_services="{ 22, 80, 443 }"
# Options
set block-policy drop
set loginterface $ext_if
set skip on lo
# Normalization
match in all scrub (no-df max-mss 1440)
# Queueing
altq on $ext_if cbq bandwidth 100Mb queue { std, ssh, web }
queue std bandwidth 10% cbq(default)
queue ssh bandwidth 20% priority 2 cbq(red)
queue web bandwidth 70% priority 1 cbq(red)
# Translation
# nat on $ext_if from 192.168.1.0/24 to any -> ($ext_if)
# Filtering
block in log
block in quick from urpf-failed
pass out quick inet proto tcp from ($ext_if) to any modulate state
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA modulate state
# Anti-spoof
antispoof quick for { lo $ext_if }
EOF
# Enable PF
rcctl enable pf
rcctl start pf
# PF management
pfctl -f /etc/pf.conf # Load rules
pfctl -sr # Show rules
pfctl -si # Show statistics
pfctl -sl # Show labels
|
Network Service Security
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 | # Service hardening
# Bind to specific interfaces
# Use non-privileged ports when possible
# Implement connection limits
# SSH security
# /etc/ssh/sshd_config modifications:
# PermitRootLogin no
# PasswordAuthentication no
# PubkeyAuthentication yes
# AllowUsers specific_users
# ClientAliveInterval 300
# ClientAliveCountMax 2
# Network monitoring
# Enable network logging
# Monitor unusual traffic patterns
# Implement intrusion detection
|
IPsec and VPN Security
1
2
3
4
5
6
7
8
9
10
11
12 | # IPsec implementation
# Built-in IPsec support
# Strong encryption algorithms
# IKE (Internet Key Exchange)
# isakmpd - IKE daemon
# StrongSwan compatibility
# VPN configurations
# Site-to-site VPNs
# Remote access VPNs
# Certificate-based authentication
|
🛠️ Application Security
Pledge and Unveil
1
2
3
4
5
6
7
8
9
10
11
12
13 | # Application sandboxing
# pledge() - system call restrictions
# unveil() - filesystem access restrictions
# Example application security
# Web server with restricted access:
# unveil("/var/www/htdocs", "r") # Read-only HTML
# unveil("/var/www/logs", "rwc") # Read-write-create logs
# unveil(NULL, NULL) # Lock filesystem
# pledge("stdio rpath inet", NULL) # Restrict system calls
# Check running applications
ps -axo pid,comm,label # Show process security labels
|
Chroot Environments
1
2
3
4
5
6
7
8
9
10
11
12
13 | # Chroot for service isolation
# Create minimal environments
# Copy only required files
# Example chroot setup
mkdir -p /var/chroot/www/{bin,lib,etc,var/www}
# Copy binaries and libraries
# Configure within chroot
# Chroot limitations
# Does not restrict network access
# Does not prevent privilege escalation
# Should be combined with other protections
|
Binary Signing
1
2
3
4
5
6
7
8
9
10
11
12 | # Signify - cryptographic signing
# Verify software integrity
# Prevent tampering
# Sign a file
signify -G -p pubkey.pub -s privkey.sec # Generate key pair
signify -S -s privkey.sec -m file.txt # Sign file
signify -V -p pubkey.pub -x file.txt.sig -m file.txt # Verify
# Package signing
# OpenBSD packages are signed
# Verify package integrity
|
🎨 System Integrity
File Integrity Monitoring
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | # mtree - file integrity checking
# Create file specifications
# Verify system integrity
# Create mtree specification
mtree -c -p /etc > /etc/mtree/etc.mtree
# Verify file integrity
mtree -f /etc/mtree/etc.mtree -p /etc
# Automated integrity checking
# Regular mtree verification
# Alert on changes
# Log integrity violations
|
Audit Subsystem
1
2
3
4
5
6
7
8
9
10
11
12
13 | # OpenBSD audit capabilities
# Process execution logging
# File access monitoring
# Security event tracking
# Enable auditing
# Configure audit rules
# Monitor audit logs
# Audit log analysis
# Identify security events
# Correlate security incidents
# Generate audit reports
|
Patch Management
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | # Security patch management
# Regular syspatch updates
# Security advisories monitoring
# Apply security patches
syspatch # Apply outstanding patches
# Check patch status
syspatch -c # Check for available patches
# Security update policy
# Regular patch schedule
# Emergency patch procedures
# Patch testing procedures
|
🔍 Security Monitoring and Response
Log Management
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 | # Centralized logging
# /var/log/ - system logs
# syslogd configuration
# Important log files
# /var/log/messages - general system messages
# /var/log/authlog - authentication events
# /var/log/secure - security events
# /var/log/maillog - mail system events
# Log rotation
# newsyslog - log rotation utility
# Configure retention policies
# Monitor log space usage
# Log analysis
# Automated log monitoring
# Security event correlation
# Incident response procedures
|
Intrusion Detection
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | # Host-based intrusion detection
# Monitor system calls
# Track file access patterns
# Detect anomalous behavior
# Network intrusion detection
# Monitor network traffic
# Detect attack patterns
# Alert on suspicious activity
# Security monitoring tools
# Custom monitoring scripts
# Integration with SIEM systems
# Real-time alerting
|
Incident Response
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | # Security incident procedures
# Containment strategies
# Evidence preservation
# Recovery processes
# Emergency response
# System isolation
# Service suspension
# Forensic analysis
# Post-incident activities
# Root cause analysis
# Security improvements
# Documentation updates
|
🧾 Summary Security Controls
Security Layers
| Layer |
Controls |
Purpose |
| Physical |
Secure hardware, locked cabinets |
Prevent physical access |
| Network |
PF firewall, IPsec |
Control network access |
| Kernel |
W^X, ASLR, ProPolice |
Prevent exploitation |
| Process |
Pledge/unveil, chroot |
Limit process capabilities |
| User |
Strong passwords, doas |
Control user privileges |
| Application |
Signed binaries, secure coding |
Ensure application integrity |
| Data |
File permissions, encryption |
Protect data confidentiality |
Default Security Features
✅ Stack protection enabled
✅ W^X memory protection
✅ ASLR enabled
✅ Randomized malloc
✅ Privilege separation in services
✅ Secure default configurations
✅ Strong password requirements
✅ PF firewall available
✅ Binary signing verification
🧠 Security Best Practices
Administrative Guidelines
✅ Proactive Security:
- Keep system updated with syspatch
- Monitor security advisories
- Implement defense in depth
- Regular security audits
- Principle of least privilege
✅ Configuration Management:
- Secure default configurations
- Minimal service installations
- Regular configuration reviews
- Change management procedures
- Backup and recovery plans
✅ Monitoring and Response:
- Centralized log management
- Real-time security monitoring
- Incident response procedures
- Regular security testing
- Threat intelligence integration
❌ Common Security Mistakes:
- Running services as root unnecessarily
- Disabling security features
- Weak password policies
- Inadequate logging and monitoring
- Ignoring security updates
- Poor access control management
Security Assessment Checklist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38 | # Security assessment script
security_checklist() {
echo "=== OpenBSD Security Assessment ==="
# Check security level
echo "Security Level: $(sysctl -n kern.securelevel)"
# Check PF status
if rcctl get pf status; then
echo "PF Firewall: Enabled"
else
echo "PF Firewall: Disabled"
fi
# Check SSH configuration
if grep -q "^PermitRootLogin no" /etc/ssh/sshd_config; then
echo "SSH Root Login: Disabled"
else
echo "SSH Root Login: Potentially Enabled"
fi
# Check doas configuration
if [ -f /etc/doas.conf ]; then
echo "doas Configuration: Present"
wc -l /etc/doas.conf
else
echo "doas Configuration: Missing"
fi
# Check for unnecessary services
echo "Running Services:"
rcctl ls started | wc -l
# Check patch status
echo "Pending Patches: $(syspatch -c | wc -l)"
echo "=== Assessment Complete ==="
}
|
🧾 See Also