2.7. Wrapping Up
We've covered a number of security-oriented features that make FreeBSD and OpenBSD unique among Unices, as well as among operating systems in general. These features give you an edge in securing your system. By adding a few
to your standard configuration, you can tune the behavior to fit the security
that you need. You can reduce your visibility in the network, help thwart
and denial-of-service attacks, and reduce the amount of resources malicious folks can
on your network. By combining the kernel
and UFS filesystem flags you can more strongly protect many critical pieces of the operating system. If your users need the flexibility of ACLs, you can give them ACLs as well to specify filesystem permissions with finer granularity.
Your options are not quite as diverse on OpenBSD systems. Still, it's clear that the effort the development team has gone through to follow the defense in depth, least-privilege, fail-safe, and other principles yield great rewards. Careful code
, privilege separation whenever possible, service-based users, W^X, and ProPolice—it's all good stuff.
As you read through the chapters in this book, look for places where the building blocks in this chapter can be put to good use. Feel free to play around with them and find a solution that works for you.