2.7. Wrapping Up

We've covered a number of security-oriented features that make FreeBSD and OpenBSD unique among Unices, as well as among operating systems in general. These features give you an edge in securing your system. By adding a few sysctl variables to your standard configuration, you can tune the behavior to fit the security posture that you need. You can reduce your visibility in the network, help thwart scans and denial-of-service attacks, and reduce the amount of resources malicious folks can consume on your network. By combining the kernel securelevel and UFS filesystem flags you can more strongly protect many critical pieces of the operating system. If your users need the flexibility of ACLs, you can give them ACLs as well to specify filesystem permissions with finer granularity.

Your options are not quite as diverse on OpenBSD systems. Still, it's clear that the effort the development team has gone through to follow the defense in depth, least-privilege, fail-safe, and other principles yield great rewards. Careful code audits, privilege separation whenever possible, service-based users, W^X, and ProPolice it's all good stuff.

As you read through the chapters in this book, look for places where the building blocks in this chapter can be put to good use. Feel free to play around with them and find a solution that works for you.