[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 12/09/15 09:15, Neil Winchurst wrote: > Thank you for taking the time to give me such a long and very helpful > answer. I will certainly look further into this and report on any > progress. > > Just one question, is BSD really more secure than Linux? Never answered this, which I meant to: difficult question Neil, for the usual reasons. What kind of metric do you want to use? A BSD box setup by an idiot will be as insecure as any Linux, Windows or VMS system setup by an idiot. An expert can make any of those systems pretty much bullet proof. However, complexities aside I do understand the basic premise of your question. BSD has a much lower usage than Linux for example: by definition that means it has a lower attack surface than Linux. Fewer people are actively scanning the source, coding up exploits and actively making money by professionally breaking BSD (presumably: I'm going with the pure economics of the criminal underground here - I definitely do not know this for a fact). The BSDs are 'cleaner' for want of a better phrase: from an audit perspective a sufficiently skilled agent could technically sign off a BSD system more easily than a random Linux install. It would still be a ludicrously difficult and enormously technically challenging thing to have to do but if I was given the job I'd breath a lot easier auditing OpenBSD than Ubuntu or even Debian, for example. So to directly answer your question, it's all down to the circumstances, the admin, the users and a million other things I'm afraid: in short, I don't have an answer because realistically there isn't one. There is however one exception: https://en.wikipedia.org/wiki/Securelevel All BSDs can operate with these restrictions in place, however, in my experience, only OpenBSD does it properly. If you're not using any third party and unaudited software (so nothing from the ports tree) and you're purely using native OpenBSD code, stick it in securelevel 2 and realise that your system is so locked down a lot of stuff just isn't going to work properly then the answer is "Yes". OpenBSD in this very strict definition and awkwardly restrictive usage mode is indeed more secure than Linux. I doubt you'd enjoy it very much though: in this mode OpenBSD is very much a server style OS, usually for networking related stuff such as firewall/router/gateway, or even BGP. For what it's worth, there is just such a machine between my network and the entire internet - I've used many different customised systems from IPcop and smoothwall to pfsense and expensive proprietary stuff I "borrowed" from work over the years but the only one I really, really trust is my OpenBSD box. Wouldn't want to use it as my daily driver though. I'll leave you with this, right from the OpenBSD homepage: "Only two remote holes in the default install, in a heck of a long time!" That might not look like much, but compared to every other OS in history it's positively miraculous. Two remotely exploitable flaws in the standard install. Ever. I'd definitely recommend firing up VBox and getting an OpenBSD instance up for fun and profit. Obviously feel free to ask if you need a pointer (after lauding it up so much I should definitely balance it a little by admitting that coming from Linux, some stuff in BSD-land just makes me want to bang my head against the table). Cheers -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq