As I was gathering my thoughts for this article I quickly realized that it is actually quite difficult to give due credit to the developers of OpenBSD. OpenBSD is unique and it's fantastic, however much of its splendor "hides" in the design and coding of the operating system, and as such isn't visible to the average user. You need to understand some of what goes on under the hood to really appreciate OpenBSD.
OpenBSD is easy and quick to install and you will be surprised at how simple and well designed the system is. This is because a lot of work goes into making everything right from the beginning, and the project is following the UNIX philosophy to the letter.
OpenBSD comes with a lot of applications in the base system ready to run, however nothing is enabled by default, you have to enable the services you need. Every configuration file follows the same kind of syntax, a very human-readable syntax, and it's hence easy to understand and setup. Every single option is meticulously documented in the man pages and the OpenBSD project considers lacking documentation a bug - which is what every professional programmer should do.
Lacking documentation, or incorrect documentation, is just as dangerous to a running system as security bugs are. The reason for this is that security issues sometimes arise from misconfiguration. If you don't know how to setup your system, how can you be sure that it isn't running in a manner that makes it easy for an attacker to compromise the system? A lot of Spam on the Internet origins from misconfigured mail servers that has been compromised by hackers.
Every single line of code in the operating system kernel and base system gets security audited and scrutinized by the programmers, and everything is coded following a strict set of guidelines and principles that tries to eliminate all the typical coding mistakes (yes, most security bugs are coding mistakes made by programmers and developers).
But that's not all. What really makes OpenBSD amazing is all the security mitigation work that goes into the development of the operating system and the OpenBSD developers are doing some fantastic frontier engineering in this area.
Security mitigations are techniques that help prevent attackers from running malicious code on the operating system or take advantage of security bugs or weaknesses in software.
If you're using a piece of software, say like a browser, and the browser has a security bug that is exploitable, then it is possible for a hacker to possibly gain access to your computer. How much damage the hacker can do on your computer depends on the underlying security of the operating system.
OpenBSD has a number of mitigations techniques build into the kernel and base system that makes life really difficult for a hacker. Firstly, this means that it becomes much more difficult for a hacker to gain access to your system in the first place, using the normal exploitation techniques which work on many other operating system like Microsoft Windows, Linux, Mac OS, and others. Secondly, if an attacker happens to gain access to the system despite these mitigations, the amount of damage the attacker can do is much more limited and constricted.
Here is a list of some of the OpenBSD security innovations build into the operating system and enabled by default.
Several of these innovations has been adopted and implemented by other operating systems projects thanks to the work done by the OpenBSD developers.
OpenBSD is a robust and reliable operating system that you can run with minimal interaction once it is setup. It is actually the only operating system that enables you to sleep at night in case you're running any system critical software.
OpenBSD maintains a portable version of many parts of the base system, including:
All of this is in the base system of the operating system and it is a part of a standard OpenBSD installation. The third-party software components (from X.Org Server and downwards in the list) comes with OpenBSD-specific patches for increased security.
Besides from the above OpenBSD provides, as of writing, more than 9.700 installable applications via the OpenBSD package manager.
However, it is very important to note that even though you are adviced to use the precompiled packages over manually building software from ports, the package collections for the "release" and "stable" branches of OpenBSD does not get package upgrades. As such security updates are only available through the ports system when you are running the "stable" branch.
When serious bugs or security flaws are discovered in the applications in ports, they are fixed in the "stable" branch of the ports tree. Contrary to the base system, the "stable" ports only gets security backports for the latest release. This means that if you're using third party applications you need to check out the correct branch of the ports tree, and build the software from it manually. The ports can be kept up to date with CVS and you can subscribe to the ports-changes mailing list in order to receive security announcements related to applications in the ports tree.
Since the ports collection is a collection of software from third party providers it does not go through the same thorough security audit that is performed on the OpenBSD base system. The OpenBSD project does not have enough resources to ensure the same level of robustness and security with ports as they do with the base system.
Take a look at the OpenBSD project website for further information.
If you have any comments or corrections feel free to email them to me.