https://why-openbsd.rocks/ Recent content on Why OpenBSD rocks Hugo -- gohugo.io en https://why-openbsd.rocks/fact/etc-examples/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/etc-examples/ Since most administration is done by editing system configuration files in etc, the /etc/examples directory gives administrators a comprehensive set of example configuration files. At present there are approximately four dozen examples that are designed to be edited and copied into /etc. For example, the file /etc/examples/pf.conf is a more complete and more heavily commented version of the file it can replace, /etc/pf.conf. Details: pf.conf(8) - OpenBSD manual pages https://why-openbsd.rocks/fact/64bit-time/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/64bit-time/ OpenBSD is one of the first operating systems to be safe from the “Year 2038 Problem”. 64-bit time was introduced in 2013, so you don’t have to worry about the Unix Epoch 32-bit issue. Details: 64-bit Time on OpenBSD OpenBSD 5.5 Changelog Year 2038 problem - Wikipedia https://why-openbsd.rocks/about/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/about/ Every now and then (at conferences, the office, the local hackerspace) people ask: “You are using OpenBSD? Why?” There are a bazillion great things about OpenBSD. The people, the philosophy and the technology. “The Members of the OpenBSD Community are masters of reducing complexity” Michael W. Lucas (Author “Absolute OpenBSD”) This site shows random facts about the great functionality and ideas behind OpenBSD, and explains why people are so enthusiastic about it. https://why-openbsd.rocks/fact/acme-client/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/acme-client/ OpenBSD has got its own ACME client, which ships by default in the base system. It has a nice config syntax, sane defaults and is well integrated with the OS. Details: OpenBSD 6.1 Changelog acme-client(1) - OpenBSD manual pages g2k16 Hackathon Report: Florian Obser on httpd, networking, acme-client, and more https://why-openbsd.rocks/fact/afterboot/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/afterboot/ After the first complete boot succeeded to the installation, OpenBSD purposes a complete document to list items for the system administrator to check and set up. The idea is to create a list of items that can be checked off so that you do not forget anything important. Details: afterboot(8) - OpenBSD manual pages OpenBSD 2.2 Changelog https://why-openbsd.rocks/fact/anoncvs/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/anoncvs/ OpenBSD pioneered anonymous CVS, which allows anyone to extract the full source tree for any version of OpenBSD at any time - no tarball downloads, no user accounts needed. In the Fall of 1995 when we started our own open source operating system project called OpenBSD, we decided to use CVS to manage the OpenBSD source tree. Based on our experiences with the previous open source project we were involved with, we recognized the inherent conflict between trying to maintain an open environment while maintaining a private CVS source repository that only privileged users could access. https://why-openbsd.rocks/fact/anti-rop/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/anti-rop/ The order of symbols in libc.so are randomized at boot time to prevent “Return oriented programming”. An attacker gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences that are already present in the machine’s memory. With randomized symbols, this is not an attack vector anymore. Details: ‘anti-ROP mechanism in libc’ - MARC OpenBSD 6.0 Changelog Return-oriented programming - Wikipedia https://why-openbsd.rocks/fact/arc4random/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/arc4random/ OpenBSD has its own cryptographic random number generator. Wherever random input is needed, arc4random is used. arc4random is an abstraction layer for currently considered as safe ciphers and produces ChaCha20 ciphers at the moment Arc4random is “A Replacement Call For Random”, to generate very quickly high quality 32-bit pseudo-random numbers. Details: arc4random(3) - OpenBSD manual pages arc4random(9) - OpenBSD manual pages OpenBSD 2.1 - Changelog OpenBSD 5.5 https://why-openbsd.rocks/fact/aslr/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/aslr/ Address Space Layout Randomisation places code, data and stack in randomly selected location in the memory of the OpenBSD Operating System. As a result every execution of a binary ends up in a different layout. This makes it hard for an attacker to predict memory addresses and process behaviour. Details: OpenBSD 3.4 Changelog Address space layout randomization - Wikipedia https://why-openbsd.rocks/fact/audio/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/audio/ For privacy reasons, the OpenBSD team disabled audio recording for all devices by default in the kernel. This can be toggled on/off with a simple sysctl change, without rebooting. sysctl kern.audio.record=1 # enable at runtime echo kern.audio.record=1 >> /etc/sysctl.conf # set at boot Details: OpenBSD 6.4 sysctl(2) - OpenBSD manual pages Audio recording is now disabled by default in OpenBSD | ZDNet https://why-openbsd.rocks/fact/autoinstall/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/autoinstall/ autoinstall offers system administrators a way to fully automate their OpenBSD Installations in a very simple and efficient way. This functionality is actually built into the Operating System. Details: autoinstall(8) - OpenBSD manual pages New disklabel(8) templates make for a more flexible autoinstall https://why-openbsd.rocks/fact/base-system-concept/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/base-system-concept/ When you install OpenBSD, you get a base system that contains various software. For example, sshd, tmux, a HTTP Server, whois , doas, less, make, clang & ftp. Mostly stuff that is needed day to day by a system administrator. A base system with default tools and daemons is a fundamentally different concept than packaged software with preinstalled packages. Details: src/ OpenBSD - Wikipedia https://why-openbsd.rocks/fact/carp/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/carp/ The carp interface is a pseudo-device which implements and controls the CARP protocol. carp allows multiple hosts on the same local network to share a set of IP addresses. Its primary purpose is to ensure that these addresses are always available, but in some configurations carp can also provide load balancing functionality. Details: The carp device first appeared in OpenBSD 3.5. carp(4) - OpenBSD manual pages hostname.if(5) - OpenBSD manual pages ifconfig(8) - OpenBSD manual pages https://why-openbsd.rocks/fact/chrooted-webserver/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/chrooted-webserver/ By default, HTTP daemons are chrooted in /var/www. As an OpenBSD system administrator, you don’t need to configure anything to have a secured webserver installation running. This is also true for HTTP daemons from packages (apache2, nginx). $ getent passwd www www:*:67:67:HTTP Server:/var/www:/sbin/nologin Details: httpd.conf(5) - OpenBSD manual pages chroot(2) - OpenBSD manual pages chroot(8) - OpenBSD manual pages https://why-openbsd.rocks/fact/configuration-syntax/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/configuration-syntax/ All daemons written by and for OpenBSD have config files following a certain scheme; this scheme is similar to pf. Even though there is no formal specification, the unified and readable syntax and vocabulary make OpenBSDs daemons easy to understand and configure. acme-client.conf domain why-openbsd.rocks { domain key "/etc/ssl/private/why-openbsd.rocks.key" domain certificate "/etc/ssl/why-openbsd.rocks.crt" domain full chain certificate "/etc/ssl/why-openbsd.rocks.pem" challengedir "/var/www/htdocs/challenges/" sign with letsencrypt } relayd.conf http protocol https { match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" # Various TCP options tcp { sack, backlog 128 } tls { no tlsv1. https://why-openbsd.rocks/fact/cron/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/cron/ OpenBSD’s cron(8) daemon can randomize values (~), and prevent multiple jobs from running concurrently (-s). Super useful additions that all cron implementations should have had forever. For example “0~30” will result in a random value between 0 and 30 inclusive. If either (or both) of the numbers on either side of the ‘~’ are omitted, the appropriate limit (low or high) for the field will be used. Example: 0~30 1 * * * [-nsq] echo foo These features are included in OpenBSD 6. https://why-openbsd.rocks/fact/cwm/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/cwm/ Marius Aamodt Eriksen and a few others developed cwm for X11, which contains many features that concentrate on the efficiency and transparency of window management, while maintaining the simplest and most pleasant aesthetic. cwm was released in November 2007 and replaced wm2 in OpenBSD 4.2. Details: cwm(1) Getting started with cwm OpenBSD 4.2 Release OpenBSD 4.2 Changelog Calm Window Manager - Wikipedia https://why-openbsd.rocks/fact/defined-integer-overflows/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/defined-integer-overflows/ Clang, the default compiler on most architectures, have -fwrapv flag enabled by default. GCC also does not include -fstrict-overflow into -O2 optimization option. This tells the compiler to treat signed integer overflows as defined, preventing optimizations which remove security critical overflow checks. This is another example of sane defaults. Details: clang-local(1) - OpenBSD manual pages clang(1) - OpenBSD manual pages gcc-local(1) - OpenBSD manual pages gcc(1) - OpenBSD manual pages https://why-openbsd.rocks/fact/doas/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/doas/ doas replaced sudo because of the latter’s security flaws and large, complex codebase. doas is easy to configure and use and suits most use cases. Its source code is small and elegant too. permit nopass <user> as root permit nopass root Details: doas(1) - OpenBSD manual pages doas - dedicated openbsd application subexecutor OpenBSD 5.8 https://why-openbsd.rocks/fact/dump/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/dump/ dump is a program to maintain incremental filesystem backups. Created backup could be piped through archiver, encryption tool or ssh. Unlike with pax(1), tar(1) and cpio(1) dump can save in backup file with name as long as supported by filesystem. Date of the latest filesystem backup and level of that backup kept in /etc/dumpdates file and could be viewed with dump -W. A file with nodump flag set will by default be backed up by dump during full backups. https://why-openbsd.rocks/fact/dogfood/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/dogfood/ OpenBSD developers tend to use OpenBSD on their laptops and in their daily lives, especially while working on OpenBSD itself. Chances are very high, if you buy a Thinkpad or the like, everything just works out of the box. This results of people actually using their product on their own hardware being challenged by daily life tasks. Details: Eating your own dog food (Wikipedia) https://why-openbsd.rocks/fact/ffs2/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/ffs2/ FFS2 (Enhanced Fast Filesystem) is the new filesystem by default on nearly all architectures, since OpenBSD 6.7. Benefits: FFS2 is faster than its predecessor FFS when creating the filesystem, as well as analyzing it with fsck(8) FFS2 uses 64-bit timestamps and block numbers; so it is not subject to the Y2038 bug. FFS2 supports very large partitions (>= 1TB, since 4.2). Details: FFS2 first appeared in OpenBSD 4.2. OpenBSD 4.2 changelog CVS 1. https://why-openbsd.rocks/fact/file/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/file/ file is sandboxed and runs as the _file user. Think of the following: You download a random file from the internet and analyze it using file. If file has a security hole (local code execution for example) and the downloaded file is configured to exploit this, it can run attacks. That’s why the file utility is sandboxed and chrooted by default. Details: ‘CVS: cvs.openbsd.org: src’ - MARC CVS log for src/usr. https://why-openbsd.rocks/fact/freezero/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/freezero/ The libc function freezero(3) allows programs to free memory that holds sensitive data, and to overwrite it with zeros. Details: OpenBSD 6.2 freezero(3) manpage https://why-openbsd.rocks/fact/fulldiskencryption/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/fulldiskencryption/ OpenBSD supports FDE since 5.3 using softraid(4) and bioctl(8). Details: OpenBSD 5.3 bioctl(8) - OpenBSD manual pages OpenBSD FAQ: Disk Setup https://why-openbsd.rocks/fact/hackathons/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/hackathons/ June 1999 was the first time that a group of OpenBSD developers met in one space to begin working on cryptographic code. Hackathons for OpenBSD now take place three to four times a year and cover a variety of improvements to the codebase. Hackathons are open to developers, or by invite only, and are held all over the world. Funding for hackathons is made possible by donations from people like you. https://why-openbsd.rocks/fact/httpd/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/httpd/ For a long time OpenBSD used a patched version of Apache httpd. After that, nginx was imported into base, but even that was still too big for the base system. Reyk Floeter and Pierre-Yves Ritschard wrote a minimal HTTP server, which replaced all externally developed http servers in the base system for OpenBSD release 5.6. server "www.example.com" { alias "example.com" listen on * port 80 listen on * tls port 443 root "/htdocs/www. https://why-openbsd.rocks/imprint/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/imprint/ German law forces me to put this here. Imprint Angaben gemäß § 5 TMG: Florian Baumann Jakob-Fuchs-Str. 35 95445 Bayreuth mail: flo aett blog domain blog: https://noqqe.de fediverse: https://chaos.social/@noqqe Quelle: eRecht24, Rechtsanwalt für Internetrecht Sören Siebert Haftungsausschluss: Haftung für Inhalte Die Inhalte unserer Seiten wurden mit größter Sorgfalt erstellt. Für die Richtigkeit, Vollständigkeit und Aktualität der Inhalte können wir jedoch keine Gewähr übernehmen. Als Diensteanbieter sind wir gemäß § 7 Abs. https://why-openbsd.rocks/fact/karl/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/karl/ At every install, upgrade, and boot a new kernel is generated with randomized addresses. A unique and unpredictable kernel is a huge security improvement. This technique is called Kernel Address Randomized Link (KARL). Details: ‘kernel relinking’ - MARC OpenBSD 6.2 https://why-openbsd.rocks/fact/kernel-userland/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/kernel-userland/ The kernel and userland in OpenBSD are developed together. The same people who introduce new features to the kernel control the userland. This way, new features can be implemented very fast into all of parts of the OS. See pledge, for example. As Linux Kernel and GNU Core Utilities are developed independently, it would not be possible to introduce pledge to all the tools that easily. https://why-openbsd.rocks/fact/libressl/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/libressl/ The unmaintainable and bloated OpenSSL Codebase was forked after Heartbleed was revealed. The code was thoroughly cleaned up, improved and documented. Besides new modern ciphers FRP256v1, RFC 5639 EC Brainpool, ChaCha20, Poly1305, LibreSSL is API compatible with OpenSSL but without the mess. It is actively developed. Details: LibreSSL: The first 30 days, and what the Future Holds - YouTube origins of libressl LibreSSL https://why-openbsd.rocks/fact/license/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/license/ You are free to use the operating system as you want and do business with it according to ISC or Berkeley style licenses. By contract the GPL is not acceptable when adding new code. Details: OpenBSD: Project Goals OpenBSD: Copyright Policy https://why-openbsd.rocks/fact/malloc-leak-detection/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/malloc-leak-detection/ Since 7.4 -current (04/17/2023), malloc leak detection. It’s a tool to detect unsafe behaviors in the OpenBSD code for Team developers. It needs to have debug symbols. This tracks memory allocations to free them properly after use. Details: malloc(3) - OpenBSD manual pages Otto Moerbeek: about leak detection https://why-openbsd.rocks/fact/mandoc/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/mandoc/ All man pages are built with the advanced and unified tooling around mandoc. Ingo Schwarze spent a lot of time importing, fixing and improving documentation in general. Details: BSDCan11 Mandoc Slides mandoc - UNIX Manuals EuroBSDCon 2015 mandoc(1) - OpenBSD manual pages https://why-openbsd.rocks/fact/manpages/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/manpages/ There is probably no Operating System that is documented more and better than OpenBSD. Every single binary, library, driver or script delivered in the base system has its own manpage. The OpenBSD project considers lack of documentation on any function of the system to be a bug. man cat # of course, base system binary man vio # the virtual network driver man null # the /dev/null device man daily # the cronjobs that maintain your system man adventure # a game delivered in the base system man hostname. https://why-openbsd.rocks/fact/meltdown-spectre/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/meltdown-spectre/ To mitigate the Meltdown and Spectre vulnerabilities, OpenBSD holds separate page tables for the kernel and userland. The next generation of Meltdown was mitigated in this way. OpenBSD was no longer affected as memory could not be inappropriately accessed. OpenBSD has also disabled Intel’s hyper-threading technology, citing security concerns – seemingly, Spectre-style concerns, with “a new hw.smt sysctl”. Details: Meltdown fix committed by guenther@ CVS: cvs.openbsd.org: src CVS: cvs.openbsd.org: src https://why-openbsd.rocks/fact/malloc-randomization/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/malloc-randomization/ malloc allocates areas of memory that programs have requested using system calls. It randomizes memory allocations over the entire address space. This makes attacks harder because each run has a different memory layout. It traps bugs (allocations are surrounded by unmapped memory) and allows realloc to grow an allocation without copying in most cases. Details: malloc(3) - OpenBSD manual pages Otto Moerbeek: about malloc(3) on Twitter https://why-openbsd.rocks/fact/mg/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/mg/ mg is a small, lightweight emacs clone in the base system. Sysadmins who do not like to use vi(1) or ed(1) have an alternative. Details: mg(1) - OpenBSD manual pages mg (editor) - Wikipedia https://why-openbsd.rocks/fact/multi-plat/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/multi-plat/ Maintaining code for multiple platform prevents coding with assumptions. Kernel and libc code needs to be designed platform independent. This really improves operating systems codebase. Besides that, it also means you can run OpenBSD on quite a few architectures (partially very old ones like VAX, Loongson, Apple PowerPC). Details: OpenBSD.org Platforms Secure Portability (djm, 2005) https://why-openbsd.rocks/fact/dashdev/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/dashdev/ If you install a library, there is no split between library and header files. There is no zlib-dev package as an addition to zlib. You get everything at once. Details: OpenBSD FAQ: Package Management OpenBSD Porter’s Handbook https://why-openbsd.rocks/fact/noexec/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/noexec/ Partitions can be mounted using the noexec mount Flag. This means no binaries located on this mounted path can be executed. For example, you can use this option to safely mount a USB stick. Details: mount(8) - OpenBSD manual pages https://why-openbsd.rocks/fact/nsd/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/nsd/ nsd(8) is a complete implementation of an authoritative DNS nameserver developed by NLnet Labs and RIPE NCC. nsd is lightweight, reliable and shipped within OpenBSD’s base system and therefore available out of the box. Details: nsd(8) - OpenBSD manual pages nsd.conf(5) - OpenBSD manual pages https://why-openbsd.rocks/fact/ntpd/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/ntpd/ Since OpenBSD 3.6, the base system ships with its own implementation of ntp. OpenBSD 5.7 introduced HTTPS Constraints, which helps to verify the times received in unauthenticated UDP packets. servers pool.ntp.org constraints from "https://www.google.com/" OpenNTPD has become a portable software project and is also available in Linux distributions. Details: Authenticated TLS “contraints” in ntpd(8) ntpd(8) - OpenBSD manual pages ntpd.conf Constraints OpenNTPD OpenBSD 3.6 OpenBSD 5.7 https://why-openbsd.rocks/fact/openbgpd/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/openbgpd/ OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4. It allows ordinary machines to be used as routers exchanging routes with other systems speaking the BGP protocol. Started out of dissatisfaction with other implementations, OpenBGPD is a fairly complete BGP implementation, powering many sites. Users often praise its ease of use and high performance, as well as its reliability. OpenBGPD’s companions, ospfd(8), ospf6d(8), ripd(8) and dvmrpd(8) add support for the respective protocols. https://why-openbsd.rocks/fact/openrsync/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/openrsync/ In early 2019 OpenBSD imported openrsync to the base system as a free and open alternative to traditional rsync. openrsync has a reduced, simplified set of features, an acceptable license (BSD) while still being compatible with rsync. Details: the openrsync program first appeared in OpenBSD 6.5. OpenBSD on Tweet about openrsync GitHub - kristapsdz/openrsync: BSD-licensed implementation of rsync https://why-openbsd.rocks/fact/opensmtpd/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/opensmtpd/ The OpenBSD base system contained a working and secured sendmail setup for a long time. It was replaced by OpenSMTPD in OpenBSD 5.3 (2013). OpenSMTPD was written by OpenBSD Developers from scratch. A simple mail daemon was needed for the base system of the operating system and there were no suitable alternatives. The goals are simplicity, security and reliability with an acceptable license (ISC). table aliases file:/etc/mail/aliases table secrets file:/etc/mail/secrets listen on lo0 action "local" mbox alias <aliases> action "relay" relay host smtp+tls://bob@smtp. https://why-openbsd.rocks/fact/openssh/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/openssh/ The most popular OpenBSD software is probably OpenSSH. By using OpenBSD you always have the most recent version and features in your sshd. It’s also enabled and securely configured by default. Details: OpenSSH ssh(1) - OpenBSD manual pages sshd(8) - OpenBSD manual pages https://why-openbsd.rocks/fact/perl/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/perl/ perl - The Perl 5 language interpreter Perl officially stands for Practical Extraction and Report Language, except when it doesn’t. Perl was originally a language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. It quickly became a good language for many system management tasks. Over the years, Perl has grown into a general-purpose programming language. It’s widely used for everything from quick “one-liners” to full-scale application development. https://why-openbsd.rocks/fact/pf/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/pf/ pf is OpenBSD’s very own firewall, since 3.0. It is simple and feature-rich and its configuration files are easy to read. It supports the use of variables, lists and tables. tcpin = "{ http, https, ssh }" block in all pass out quick on $extif from any to any pass in on $extif proto tcp from any to any port $tcpin In fact, pf was often one of the top selling points for OpenBSD and many commercial firewall appliances are based on it. https://why-openbsd.rocks/fact/pid/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/pid/ OpenBSD spawns each new process with a random, unused PID. This protects the user from attacks that predict new PIDs. Details: this feature first appeared in OpenBSD 2.1 CVS log for src/sys/kern/kern_fork.c operating systems - Do randomized PIDs bring more security? - Information Security Stack Exchange https://why-openbsd.rocks/fact/pie/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/pie/ A PIE binary and all of its dependencies are loaded into random locations within virtual memory every time the application is executed. This heavy use of randomization makes it hard for an attacker to predict the binary’s behaviour. Details: Position Independent Code AsiaBSDCon2015 PIE Slides OpenBSD 5.8 Changelog https://why-openbsd.rocks/fact/ping/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/ping/ Both ping(8) and ping6(8) obfuscate the transmitted monotonic clock values by offsetting them with a random value. ChaCha streams are used to vary every payload. This helps the user to hide the system time from the attacker and prevents OS detection. More Details: OpenBSD 5.8 Changelog obfuscate the monotonic clock values we put on the wire by offsetting · openbsd/src@08eef1f · GitHub ping(8), ping6(8) - OpenBSD manpages https://why-openbsd.rocks/fact/pledge/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/pledge/ pledge allows you to limit a program’s access to system calls very easily. This is a huge improvement in security: why should cut(1) ever need to open a socket? Just deny it the ability to do so. Even if a binary is compromised, its chances to misbehave are greatly reduced. int main(int argc, char *argv[]) { [...] if (pledge("stdio rpath", NULL) == -1) err(1, "pledge"); [...] } Within only two releases, the OpenBSD Developers managed to introduce pledge to most of the binaries in the base system. https://why-openbsd.rocks/fact/privilege-separation/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/privilege-separation/ OpenBSD runs nearly all of the standard base system daemons with privilege separation. These include smtpd, httpd , snmpd, sshd, and syslogd to name just a few. Details: Privilege Separation OpenBSD: Innovations https://why-openbsd.rocks/fact/ifconfig-mac-address/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/ifconfig-mac-address/ OpenBSD lets you have randomized MAC addresses via ifconfig(8) ifconfig iwm0 lladdr random Randomizing your MAC address improves anonymity while using your Laptop in public wifi or the like. Details: ifconfig(8) Bryan Steele on Twitter https://why-openbsd.rocks/fact/rcctl/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/rcctl/ rcctl is a simple utility to maintain rc.conf.local(8), the system daemon configuration database for OpenBSD. Compared to systemd or SysVinit, rcctl is very lightweight, and stable and easy to understand and use. Details: rcctl(8) - OpenBSD manual pages rc.conf.local(8) - OpenBSD manual pages OpenBSD 5.7 OpenBSD 5.7 - Changelog Heads up: rcctl(8) the rc.conf.local management tool landing in base https://why-openbsd.rocks/fact/rdist/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/rdist/ rdist is a program to maintain identical copies of files over multiple hosts. It preserves the owner, group, mode, and mtime of files if possible and can update programs that are executing. rdist reads commands from distfile to direct the updating of files and/or directories. HOSTS = ( rupdate@ns2.example.com ) FILES = ( /var/nsd ) EXCL = ( nsd.conf *.key *.pem ) ${FILES} -> ${HOSTS} install ; except /var/nsd/db ; except /var/nsd/etc/${EXCL} ; except /var/nsd/run ; special "logger rdist update: $REMFILE" ; cmdspecial "rcctl reload nsd" ; unbound: /var/unbound/etc/unbound. https://why-openbsd.rocks/fact/recallocarray/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/recallocarray/ recallocarray is a libc function that ensures data is discarded before allocating new memory and checks for integer overflow from multiplication. This function appeared in OpenBSD 6.1. Details: malloc(3) - OpenBSD manual pages reallocarray() in OpenBSD: Integer Overflow Detection for Free - Lawrence Teo OpenBSD 6.1 https://why-openbsd.rocks/fact/relayd/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/relayd/ The relayd daemon relays and dynamically redirects incoming connections to a target host. It is mainly used as a load-balancer, an application layer gateway, or a transparent proxy. The daemon can monitor groups of hosts for availability. This is determined by checking for a specific service common to a host group. When availability is confirmed, layer 3 and/or layer 7 forwarding services are set up by relayd. ext_addr="192.168.1.1" table <webhosts> { $webhost1 $webhost2 } relay www { listen on $ext_addr port http forward to <webhosts> port http loadbalance check http "/" code 200 } Details: https://why-openbsd.rocks/fact/release-model/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/release-model/ OpenBSD has a reliable release model. Every 6 months a new release of the operating system will be released with new features and stability additions. Only the two most recent OpenBSD releases receive security and reliability fixes for the base system. The version scheme is defined 5.8, 5.9, 6.0, 6.1. Security fixes will be published as Errata and can be applied using syspatch Details: OpenBSD version history - Wikipedia OpenBSD version numbers - flak OpenBSD: Errata and Patches https://why-openbsd.rocks/fact/retpoline/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/retpoline/ Retpoline prevents speculative execution (Spectre) by isolating branches using an infinite loop that is never executed to prevent the CPU from speculating on the target of an indirect jump. Details: Retpoline: a software construct for preventing branch-target-injection - Google Help OpenBSD 6.4 Spectre - Wikipedia https://why-openbsd.rocks/fact/rpki-client/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/rpki-client/ The rpki-client utility queries the RPKI repository system with openrsync(1) to fetch all X.509 certificates, manifests, and revocation lists under a given Trust Anchor. rpki-client subsequently validates each Route Origin Authorization (ROA) by constructing and verifying a certification path for the certificate associated with the ROA (including checking relevant CRLs). rpki-client produces lists of the Validated ROA Payloads (VRPs) in various formats. Details: The rpki-client utility was written by Kristaps Dzonsons rpki-client first appeared in OpenBSD 6. https://why-openbsd.rocks/fact/sane-defaults/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/sane-defaults/ OpenBSD has sane and secure defaults set in daemons and configurations. The system is intended to be secure by default, and many of its security features are either missing or optional in other operating systems. This means you don’t have to tweak your freshly installed operating system to get services running. There is no hardening process required when you setup sshd(8), for example. Just as for every other daemon or component in the base system. https://why-openbsd.rocks/fact/securelevel/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/securelevel/ securelevel is a security mechanism in OpenBSD kernel. It provides four levels of system security, from insecure mode to draconian mode: -1 (Permanently insecure mode) Kernel does not try to increase security level. This effectively disables securelevel protections. 0 (Insecure mode) all devices can be read or written and system file flags can be cleared using chflags. 1 (Secure mode) the raw memory devices can not be written to, the raw devices of mounted file systems can not be written to, important kernel variables are locked down - Actually, this is the mode by default. https://why-openbsd.rocks/fact/sensorsd/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/sensorsd/ sensorsd — hardware sensors monitor The sensorsd utility retrieves sensor monitoring data like fan speed, temperature, voltage and RAID logical disk status from the sysctl(2) hw.sensors subtree. When the state of any monitored sensor changes, an alert is triggered. Every alert logs a message to syslog(3) using the daemon facility. Optionally, an alert can be configured to execute a command. Details: The sensorsd program first appeared in OpenBSD 3.5. sensorsd(8) - OpenBSD manual pages sysctl(2) - OpenBSD manual pages syslog(3) - OpenBSD manual pages https://why-openbsd.rocks/fact/signify/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/signify/ signify is a small and elegant tool to cryptographically sign and verify files. It was created to sign OpenBSD releases, since OpenBSD 5.5, and Binary Patches for syspatch. It uses only the Ed25519 algorithm. Think of it as an simple, easy replacement for PGP signing. Details: signify - sign and verify signify(1) - OpenBSD manual pages signify: Securing OpenBSD From Us To You OpenBSD 5.5 Ed25519 https://why-openbsd.rocks/fact/slowcgi/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/slowcgi/ slowcgi — a FastCGI to CGI wrapper server slowcgi is a server which implements the FastCGI Protocol to execute CGI scripts. FastCGI was designed to overcome the CGI protocol’s scalability and resource sharing limitations. While CGI scripts need to be forked for every request, FastCGI scripts can be kept running and handle many HTTP requests. Details: The slowcgi server first appeared in OpenBSD 5.4. slowcgi(8) - OpenBSD manual pages httpd(8) - OpenBSD manual pages https://why-openbsd.rocks/fact/spamd/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/spamd/ The spamd spam deferral daemon rejects fake emails. It is designed for efficiency, so that the receiving host is not slowed down. spamd divides sending hosts into three types: Blacklisted hosts are diverted to spamd and tarpitted. In other words, they are communicated with very slowly to consume the sender’s resources. Mail is rejected with either a 450 or 550 error message. A blacklisted host will not be allowed to talk to a real mail server. https://why-openbsd.rocks/fact/stack/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/stack/ Aggressive randomisation of the stack location Since 7.3 (03/19/2023), this will put the stack at a random location in the upper 1/4th of the userland virtual address space providing up to 26 additional bits of randomness in the address. This aggressive randomisation of the stack location is for all 64-bit architectures except alpha. This should make it harder for an attacker to find the stack. Details: Mark Kettenis: aggresive randomisation of the stack location ‘Aggressively randomize the location of the stack’ - MARC OpenBSD 7. https://why-openbsd.rocks/fact/stack-register-checking/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/stack-register-checking/ A memory object should have the fewest permissions possible: typically read, write and execute. OpenBSD introduced a new permission flag known as stack. If you want to use memory as a stack, you must mmap it with that flag bit. When a system call happens, we check to see if the stack-pointer register points to such a page. If not, the program is killed. The ABI is tighter as a result. https://why-openbsd.rocks/fact/strlcpycat/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/strlcpycat/ Those libc functions will safely copy/concat strings, an improvement over strncpy(3), strncat(3). Details: OpenBSD 2.4 Changelog strlcpy(3) - OpenBSD manual pages strncat(3) - OpenBSD manual pages strncpy(3) - OpenBSD manual pages https://why-openbsd.rocks/fact/swapencryption/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/swapencryption/ To protect sensitive information such as passwords from leaking to disk, where they can persist for many years, OpenBSD supports encryption of the swap partition. This is enabled by default! sysctl vm.swapencrypt.enable=1 Details: sysctl(2) - OpenBSD manual pages https://why-openbsd.rocks/fact/syscall-from-verification/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/syscall-from-verification/ From OpenBSD 6.7 on, the kernel checks if a syscall is executed from the address space where its corresponding process is coming from. If this is not the case, the process gets killed. This helps avoiding attackers uploading exploit code containing a raw system call sequence and instructions. Details: syscall call-from verification - marc.info OpenBSD 6.7 https://why-openbsd.rocks/fact/sysmerge/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/sysmerge/ The sysmerge tool simplifies the migration of your config files during a release upgrade. This includes line-by-line merging using sdiff. It is fully integrated into the upgrade process. Details: sysmerge(8) - OpenBSD manual pages OpenBSD 4.4 Changelog https://why-openbsd.rocks/fact/syspatch/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/syspatch/ It is a common mistake to manually patch and recompile OpenBSD when security updates are required. Since 6.1, OpenBSD has supported binary patches using its own syspatch(8) tooling! Binary updates are available for the current and previous versions of amd64, i386 and arm64. Consider subscribing to the announce mailing list to be informed of security updates. Details: OpenBSD 6.1 syspatch(8) - OpenBSD manual pages Mailing list page https://why-openbsd.rocks/fact/sysupgrade/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/sysupgrade/ sysupgrade is a utility to upgrade OpenBSD to the next release or a new snapshot if available. sysupgrade downloads the necessary files to /home/_sysupgrade, verifies them with signify, and copies bsd.rd to /bsd.upgrade. sysupgrade by default then reboots the system. The bootloader will automatically choose /bsd.upgrade, triggering a one-shot upgrade using the files in /home/_sysupgrade. Since OpenBSD 6.7, sysupgrade runs fw_update before upgrading. Details: sysupgrade first appeared in OpenBSD 6.6. sysupgrade(8) - OpenBSD manual pages signify(1) - OpenBSD manual pages fw_update(1) - OpenBSD manual pages OpenBSD 6. https://why-openbsd.rocks/fact/tmux/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/tmux/ tmux, created by Nicholas Marriott, is an in-base, BSD licensed terminal multiplexer. It enables a number of terminals to be created, accessed, and controlled from a single screen. tmux may be detached from a screen and continue running in the background, then later reattached. There is also a portable version of tmux for non-OpenBSD machines. Details: the tmux program first appeared in OpenBSD 4.6 tmux imported into base - commit tmux imported into base - article Interview with Nicholas+ tmux. https://why-openbsd.rocks/fact/unveil/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/unveil/ The unveil system call limits the filesystem open call to a given set of paths. It extends the idea of pledge: simply limiting programs to open is insufficient, because open is valid for the the whole filesystem. For example, why should a program like passwd(1) have access to your file system beyond /etc/passwd and /etc/shadow? If there is a security bug in passwd then effects would be quite limited. Details: https://why-openbsd.rocks/fact/unwind/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/unwind/ unwind — validating DNS resolver unwind is a validating DNS resolver. It is intended to run on client machines like workstations or laptops and only listens on localhost. unwind sends DNS queries to nameservers to answer queries and switches to resolvers learned from dhclient(8) if it detects that DNS queries are blocked by the local network. It periodically probes if DNS is no longer blocked and switches back to querying nameservers itself. https://why-openbsd.rocks/fact/utf8/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/utf8/ UTF-8 has been supported in libc since 2010, and OpenBSD removed support for all non-UTF-8 locales in 2015! You will never again have to deal with locale charset issues. Details: OpenBSD FAQ: General Questions ‘CVS: cvs.openbsd.org: src’ - MARC Heads up! OpenBSD now supports multi-byte characters! https://why-openbsd.rocks/fact/vmd/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/vmd/ vmd is the daemon responsible for execution of virtual machines (VMs) on a host. It is typically started at boot time and is controlled via vmctl(8). Details: The vmd command first appeared in OpenBSD 5.9. vmd(8) - OpenBSD manual pages vmctl(8) - OpenBSD manual pages vmm(4) - OpenBSD manual pages https://why-openbsd.rocks/fact/vxlan/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/vxlan/ The vxlan interface is a tunnelling pseudo-device for overlaying virtualized layer 2 networks over layer 3 networks. A vxlan interface can be created using the ifconfig vxlanN create command. Once configured, the interface encapsulates and decapsulates Ethernet frames in UDP datagrams that are exchanged with tunnel endpoints. The default UDP port for VXLAN traffic is 4789. Details: The vxlan device first appeared in OpenBSD 6.5. vxlan(4) - OpenBSD manual pages hostname. https://why-openbsd.rocks/fact/wx/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/wx/ Since 2003, memory on OpenBSD can be written to or executed, but not both. This is a major security feature that prevents malicious code from producing buffer overflows and executing what has been inserted. Details: W^X now mandatory in OpenBSD W^X - Wikipedia OpenBSD 3.3 https://why-openbsd.rocks/fact/wireguard/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/wireguard/ OpenBSD has an in-kernel driver for WireGuard VPN communication. Including the WireGuard Protocol in the kernel which improves performance while making it easy to use for everyone in OpenBSD base. WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. Details: tech@ Thread: WireGuard patchset for OpenBSD Undeadly: WireGuard imported into OpenBSD OpenBSD 6.8 Changelog https://why-openbsd.rocks/fact/xenodm/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/xenodm/ xenodm is the X Display Manager, since OpenBSD 6.1! xenodm is a simplified fork of xdm, lightweight, more secure, rid of XDMCP support, because of many security vulnerabilities. It support only the BSDauth code used in OpenBSD. On OpenBSD 6.5, xenodm is absolutely necessary to start the X server, because it no longer has setuid rights enabled by default. Details: xenodm - OpenBSD manpage g2k16 Hackathon Report: Matthieu Herrb on xenodm OpenBSD 6. https://why-openbsd.rocks/fact/xorg/ Mon, 01 Jan 0001 00:00:00 +0000 https://why-openbsd.rocks/fact/xorg/ OpenBSD developers have worked hard to enable the non-root execution of an Xserver. Since 2014, X no longer requires special privileges and can be run as a regular user rather than root. Details: Xorg can now run without privilege on OpenBSD CVS: cvs.openbsd.org: xenocara