Can I use OpenBSD as an ultra-secure host for virtual machines?
Can I use OpenBSD as an ultra-secure host for virtual machines?
Other urls found in this thread:
openbsd.org
github.com
twitter.com
bump for interest
get a grsecurity kernel instead
oh wait
It only has Qemu (despite Q standing for quick it's pretty slow) and native vmm that can only run BSDs and non-systemd Linux distros (Alpine is good for this).
>OpenBSD
How can something be secure if you leave it open?
>OpenBSD
>claims to be secure
>no mandatory access control
>no namespaces
>no sandboxing methods
>no jails
OpenBSD gives you no way to contain or restrict the execution of untrusted or buggy code.
It's only secure if you don't install anything besides the base system.
I'll just stick to GNU/Linux, since it's actually secure.
MAC is for retards who chmod 777 everything
>OpenBSD gives you no way to contain or restrict the execution of untrusted or buggy code.
I want to be proven wrong.
chroot, pledge, vm running ramdisk
you can write sandbox with pledge that preopens desired file or sets allowed syscall groups under 100 loc
GNU/Linux is anything but secure, even FreeBSD has better security.
If you don't want to use OpenBSD, then don't use it, don't come here trying to get us to change your opinion. It is obvious you don't know anything about OS security (sandboxing, pledge, jails, VM's) etc so why not do some research first?
>If you don't want to use OpenBSD, then don't use it
I can't use it even if I wanted to because nodrivers.
fun fact:
the only firewalls the german government is used for outside facing ports do run on openBSD.
Despite their really shitty interface they are actually pretty good though
Yet more rubbish, i don't even know where this meme comes from. OpenBSD driver support is on par with GNU/Linux or at least very close.
>pledge
do I need to edit the source code of the program I want to use it on?
why would you run untrusted and buggy code?
its a server os. it does not need drivers for gaming devices.
literally anything not in the base system could be malicious or buggy
doesn't matter how small the chances are
>the same post every single time
Pledge is primarily a tools for developers so making generic sandbox is not what it shines in. It's possible inject wrapper around program with LD_PRELOAD without ever touching or seeing source code of that program.
What does the base system include then?
Does it have a firewall, dns, web server, dhcp, etc, vpn, infiniband routing, etc?
>chroot
>vm
are you kidding me?
>pledge
lmao are you fucing kidding me
everything in the base system supposedly is heavily audited
the same can't be said for the ports tree
>the same non answers and answers providing non solutions or too complicated solutions every thime
>OpenBSD gives you no way to contain or restrict the execution of untrusted or buggy code.
Everything you need is already there. You won't run untrusted or buggy code if you don't install any other programs. The world has not changed since 1983. Obey the bsd gods.
yes on all except infiniband routing
also load balancer (relayd)
modified Xorg (xenocara) and basic environement (xterm, tmux, wm)
OpenSSH obviously
network redundancy with CARP
VPN with IPSec and IKED
ntpd, smtpd
better list might be this: openbsd.org
what's so bad about chroot?
chroot is insecure by design github.com
>chroot
insecure, not a solution
>vm running ramdisk
too much overhead for something as simple as restricting access for every single 3d party program
>pledge
sorry, I'm not gonna waste my time editing the source code of every application I use and figuring out which system calls it does or does not need
Use VmWare ESXi. Or SmartOS.
at least grsec on linux has some fixes for it
ok I'm curious, what system do you run and how do you restrict media player, browser, libreoffice or similar, and anything at all?
>what system do you run
arch linux
>how do you restrict media player, browser, libreoffice or similar, and anything at all
firejail, apparmor
Why BSD? Solaris(SmartOs) is much better choice for VM host.
No. It's not secure and the hypervisor is terrible.
Are there any reasons to use OpenBSD, besides "security"?
Should I just use FreeBSD if I want a BSD to dick around with?
>Are there any reasons to use OpenBSD, besides "security"?
only you can really answer this question. they're not trying to sell you anything so you you have to evaluate your own situation.