How OpenBSD is secure compared to other operating systems?

I read many times OpenBSD is the most secure system and it has a minimal code base which affects its security. I'm curious how OpenBSD is secure comparing to other operating systems from BSD family (mainly FreeBSD, NetBSD, and HardenedBSD) and comparing to any hardened Linux (for example Gentoo, Arch, Slackware, Debian, RHEL etc.). Let's take into account FreeBSD - if we wish containerization, it has jails, if we wish MAC then FreeBSD has its built-in while in Linux we have a lot of different approaches and solutions - SELinux, RBAC, Apparmor, Firejail, Docker, LXC etc.
Let's consider two cases:

1. desktop - we assume using this system mainly for day-to-day operations, programming, sysadmin, running pentesting distro in VM etc.,
2. server - a website written in whatever programming language (for example PHP, Python, Ruby), mail server, IRC bouncer, LDAP, VPN etc.
Are default applications in OpenBSD such as OpenNTPd, httpd, OpenSMTPd more secure than tlsdate, nginx, postfix and dovecot?

I recently read this article, updated as of last month, regarding OOTB security ranking of various OS:

https://www.quora.com/Is-BSD-more-secure-than-Linux

Granted, security is a process, and even an OpenBSD box can be made unsecure by poor configuration choices.

As you must have seen when you asked this question on multiple subreddits ... everyone has their favorites, and everyone has an opinion.
I have one too, which is:

Security is a process, it is not a product you install.

Whether "desktop" or "server" makes no difference. Any application you happen to run is a collective. The application, supporting services, libraries, subfunction systems, operating system, physical architecture, and microcode are all part of delivering something ill-defined and unclear called "security."

OpenBSD comes secure by default. As a desktop system with a browser installed it keeps things like ssh keys and hardware fingerprinting much more obscured than many Linux systems. Being a single 'whole' rather than a kernel + third parties (as per Linux) its more inclined to be more secure.

I do not think I ever saw this question

But one development in OpenBSD I noticed is pledge(2) and unveil(2) has been added to Firefox. I noticed it with 6.8 and you can adjust using files in /etc/firefox-esr

To me that minimizes some risk Firefox can present to you.

Firefox-esr works better for me in OpenBSD, chromium throws out more regular 'Oh snap!'. I had noticed the 6.8 pledge/unveil settings for /etc/firefox-esr, but haven't changed the defaults. The only changes I've made are to redirect the default search engine over to DuckDuckGo instead of Google.

Security is subjective ... data, keys (ssh), fingerprinting/tracking, penetration/persistence ...etc. At least from a 'desktop user' perspective.

If userid separation can be breached, such as privilege elevation at the main/host level then its game over. If that is reflected into a container then its still most likely game over.

The way I address it is I boot a minimal Linux that wifi net connects and establishes sound, and within that I boot OpenBSD using kvm/qemu. I do it that way as otherwise OpenBSD doesn't 'see' my wifi (in the kvm/qemu OpenBSD it picks up the wifi net connection as though it were hard wired ethernet). If for instance I use the Linux (host) system to ssh and store data then that is relatively secure and the ssh keys are outside of the OpenBSD system - that I use for browsing. In addition to that laptop I also use a old desktop system as a server, that has the main TV as its display. A nice feature with kvm/qemu is that you can boot in snapshot mode, i.e. all changes are lost at shutdown and the system reverts to being clean, so the server is a form of DIY VPS with disposable sessions, that when I vnc into that from my laptop (or phone) and browse, has sites see the servers fingerprints and IP, not the device I'm actually using. I also tunnel traffic (socks5), so sites see that IP, not the servers IP, nor can my ISP see any traffic other than just the ssh link/tunnel that socks5 uses. Yes if google has say 1 pixel transparent images in many many web sites (one way or another) that provides them with what source IP and when that page was viewed, or send inaudible tones to one device and have other devices report back that they hear that tone ... along with the numerous other 'tracking' methods used, then it is the servers IP that is reported, where any one of a number of individuals could be vnc controlling that server. Giveaways would of course be if a direct login to a site occurred and was recorded, such as logging into google/yahoo/facebook/etc. services - which I personally do infrequently. Similarly DNS lookups aren't directly associated, but instead are sourced from a multi-shared source (socks5 IP/ssh server). Nor is any javascript run on the actual device, again that's run on the server. In some Linux distros/browsers for instance browse to file:///sys/devices/virtual/dmi/id ... and javascript could pick up/feed-back details such as motherboard serial number/whatever, so even if you went through tor/tails but a site was given permission to run javascript (as is more often needed in order to just see a web sites content), then that's usually game-over, but in my case has the servers motherboard serial number being reported back, not my actual devices motherboard serial number.

So for me the setup I use addresses data security (separation); ssh key security (again separation); tracking/fingerprinting; And penetration persistence risk factors. But as others have said that is a process, not a product.

If I tried setting up say a Linux box to be secure, more likely I wouldn't configure something correctly such that that 'bug' invalidated the security. As I set things up however and that is relatively secure as largely I'm just using defaults - that the OpenBSD crew had already set to secure defaults. My Linux host levels can be insecure, as they're not used for browsing, such that any Linux insecurities are irrelevant (a hacker would have to 'own' the OpenBSD system(s) and escape that in order to get to the Linux layer).

Fundamentally if you want security you have to forego using a gui browser. Base OpenBSD doesn't come with a browser and as such is more secure - but can you live/work with that? http/https is pretty much now google owned/controlled - provided at zero $ cost, but instead paid for in the form of 'oneself' - all/any personal data/activities being recorded, as though you'd given permission for a stranger to enter your home and report back all activities.

That is in breach of human rights in many countries, but is overlooked. Capitalism ($$$'s) trumps freedom.

Some, perhaps even many OpenBSD users may be content with just base OpenBSD. Calculator (xcalc), graphical editor (xedit) and ssh - that facilitates ssh'ing into a server where you aren't giving others permission to run things on your local device, and from where you can communicate with others, such as via maillists, irc, whatever. Separate to that you might run a graphical browser, perhaps via vnc, or using a phone, where you accept that everthing done via that can be monitored/recorded, and being mindful of that take care with what you do share/do. In effect consider it as being hacked/open by default.

Quote:

Originally Posted by rufwoof Fundamentally if you want security you have to forego using a gui browser. Base OpenBSD doesn't come with a browser and as such is more secure - but can you live/work with that? http/https is pretty much now google owned/controlled - provided at zero $ cost, but instead paid for in the form of 'oneself' - all/any personal data/activities being recorded, as though you'd given permission for a stranger to enter your home and report back all activities.

There is unveil and pledge for the main web browsers, in ports, and OpenBSD has LibreSSL for HTTPS etc... However, VPNs and SSL/HTTPS can be cracked by the NSA unlike a well configured SSH/SSHD and TOR (can only be de-anonymized a small fraction of the time). Xenodm is highly secure too.

Quote:

Some, perhaps even many OpenBSD users may be content with just base OpenBSD. Calculator (xcalc), graphical editor (xedit) and ssh - that facilitates ssh'ing into a server where you aren't giving others permission to run things on your local device, and from where you can communicate with others, such as via maillists, irc, whatever. Separate to that you might run a graphical browser, perhaps via vnc, or using a phone, where you accept that everthing done via that can be monitored/recorded, and being mindful of that take care with what you do share/do. In effect consider it as being hacked/open by default.

[removed]. I guess you never heard of chained SSH socks 5 proxies or torsocks or whatnot with ssh w/ spoofed mac addresses ? etc.. etc..

Quote:

Originally Posted by cerber I read many times OpenBSD is the most secure system and it has a minimal code base which affects its security. I'm curious how OpenBSD is secure comparing to other operating systems from BSD family (mainly FreeBSD, NetBSD, and HardenedBSD) and comparing to any hardened Linux (for example Gentoo, Arch, Slackware, Debian, RHEL etc.). Let's take into account FreeBSD - if we wish containerization, it has jails, if we wish MAC then FreeBSD has its built-in while in Linux we have a lot of different approaches and solutions - SELinux, RBAC, Apparmor, Firejail, Docker, LXC etc. Let's consider two cases: 1. desktop - we assume using this system mainly for day-to-day operations, programming, sysadmin, running pentesting distro in VM etc., 2. server - a website written in whatever programming language (for example PHP, Python, Ruby), mail server, IRC bouncer, LDAP, VPN etc. Are default applications in OpenBSD such as OpenNTPd, httpd, OpenSMTPd more secure than tlsdate, nginx, postfix and dovecot?

OpenBSD is definitely the most secure OS but it is built around the idea that insecurity is caused by the end-user doing something stupid as OpenBSD is for computer/tech expert users only basically by hackers for hackers or a research operating system for security researchers. A very first release of UNIX was called PWB or programmer's workbench and Linux is not UNIX (non-TM).

The code base is cleaner, audited and the code quailty is generally higher. It is also more minimal. Much of the splendor of OpenBSD hides in the coding style of the developers.

OpenBSD has pledge and unveil and while Firefox etc.. can use firejail/apparmor , on Linux, the latter is stupid for similar reasons to SELinux it is complicated to set up right. Much of the security of OpenBSD is invisible to the user and just works.

The list of OpenBSD security innovations is on the OpenBSD website and OpenBSD turns on all available security features unlike other OS's where it might be optional. Generally a hacker exploits an app not the OS but OpenBSD can severely limit the damage that can be done in the rare instance it happens on the OpenBSD system :

https://www.openbsd.org/innovations.html

The short answer is that it is more secure in those two instances but you have to be a competent sysadmin and have UNIX skills. There is really much more to say but I am tired and it is late at night.

P.S. OpenBSD is not meant to run in a VM you can do it but is a dumb thing to do IMHO.

DracoSentien, comments like those in post #8 aren't acceptable at LQ. If you'd like to continue participating here, please refrain from this moving forward. Thanks.

--jeremy

Using Ubuntu as my main daily driver. Also have several other Linux distros installed, I use from time to time.
I have used BSD in the past, since my work was in Unix(long since retired.)
After reading these comments, I'm going to install a version of BSD on another HD and renew my knowledge and hopefully go forward.

The base install of OpenBSD is secure by default. However as you start installing applications you may introduce problems to your system.