| Phenomenal, cosmic power! Itty-bitty living space. The Genie
Disney's Aladdin FreeBSD and OpenBSD provide unique and powerful features that make excellent building blocks for any secure deployment. This chapter gives you a tour of the most important ones and describes how you can get the most out of them. We will be uncovering functionality that has been in these operating systems for years, yet you may never have known it was there. In the end, you'll have a whole new set of tools you can apply to the different security challenges you face. The goal of this chapter is to provide you with a set of building blocks that will become rudiments in your security repertoire. In later chapters we discuss how to combine these different rudiments to create more complex security structures that protect individual processes or whole systems. We group our building blocks into five categories.
- The filesystem
-
If you've worked with any kind of Unix filesystem in the past, this chapter will start in familiar territory. It's only a stepping-off point, however. The BSD systems offer significantly advanced features in their filesystems that are not duplicated on many other Unix-like operating systems. We explore these new features in depth, tell you how to use them, and describe some of the situations where they apply well.
- The kernel
-
The BSD kernels provide a variety of tunable options, many of which can help us secure our systems. We cover what they do and how to modify the kernel's behavior to use the features you want.
- User process controls
-
There are a variety of controls that are on the border between the kernel and user applications that help us isolate what our applications can do. We explore two technologies, namely chroot(2) and jail(2), for protecting user-level processes from each other.
- Inherent protections
-
One of the reasons OpenBSD and FreeBSD make such phenomenal choices for critical infrastructure systems is because of a slew of inherent security-related enhancements. The BSD development teams are working to create systems that are secure by default. We tell you about some of the benefits you "get for free" by running the BSDs, like buffer overflow protections in OpenBSD and hardware cryptography support in both operating systems.
- Optimizations
-
Related to our discussion of ensuring system availability in Chapter 1, there are ways to make sure your system allocates its resources and attention to the jobs that are most important to you. For example, you can emphasize file I/O or network transactions instead of just running a general-purpose system.
Remember that there is no magic security pill and no single prescription that repels all ills. You will combine these blocks in whatever ways make sense in your situation. |
