2010-05-31

linux vs bsd security

5.20: web.addn/laptop`os selection:

. win'xp is just too bogged down with security issues,
so I'm going for a more secure os,
one that doesn't rely on disruptive anti-malware,
and won't run my laptop's fan so hard .
. as long as I'm making the move for security,
is bsd better than linux ?
review freebsd, vs openbsd, vs TrustedBSD .

. gui for openbsd?
openbsdsupport.org/desktopOBSD.html

. wiki for sec'focused os .
Security-focused_operating_system

. TrustedBSD -- cap'based sec
en.wikipedia.org/wiki/TrustedBSD
TrustedBSD is a sub-project of FreeBSD designed to add
trusted operating system extensions, targeting the
Common Criteria for Information Technology Security Evaluation
(see also Orange Book ).
fine-grained capabilities .
-- access control lists are known to be confronted with
the confused deputy problem,
capabilities are a different way to avoid this issue.
. ported the NSA's FLASK/TE implementation from SELinux
. OpenBSM, an open source implementation of Sun's
Basic Security Module (BSM) API and audit log file format,
supports an extensive security audit system.
While most components of the TrustedBSD project
are eventually folded into the main sources for FreeBSD,
many features, once fully matured,
find their way into other operating systems.
For example, OpenPAM and UFS2
have been adopted by NetBSD .
. the TrustedBSD MAC Framework
has been adopted by Apple for Mac OS X .
Much of this work was sponsored by DARPA .

Ubuntu security
Ubuntu is the most popular Linux distribution,
and is built with security and protection in mind.
While the desktop version of Ubuntu provides a GUI ,
the server version avoids that
added security vulnerability.
[todo: what's the diff?]
Ubuntu developers made a conscientious decision
to disable the administrative root account:
it's been given a password which
matches no possible encrypted value,
therefore may not log in directly by itself.
This makes the system very secure
as the only way to get root privilege
is to use the "sudo" command.
Moreover, AppArmor is installed and loaded by default.
It uses profiles of an application
to determine what files and permissions
the application requires.

an openbsd server admn goes to Ubuntu's
JeOS
(Just Enough Operating System):
. linux was more of security threat back then .
"( Ubuntu JeOS is a version of Ubuntu that has
an optimized VMWare kernel. (50MB or so)
. the packaging system didn't require me to install
X11, TCL, Ruby, PHP, or MySQL for my server setup.
I was able to get just the tools I needed.) .