Mastering FreeBSD and OpenBSD Security

FreeBSD and OpenBSD are popular server operating systems. They have a reputation for long, reliable uptimes and are considered by many to be much more unified and mature than GNU/Linux distributions. Unlike GNU/Linux, the BSDs are developed in a unified, systematic fashion. The kernel, system binaries and application packages are released together. It's not just a kernel, with a variety of file systems and shells and applications from various sources rolled-up together into a distribution. The BSDs are an entire operating system. In this regard, they are more similar to Microsoft Windows or Apple's Mac OS X. Although both FreeBSD and OpenBSD maintain very good online documentation and manual pages, it's nice to have a book such as "Mastering FreeBSD and OpenBSD Security" as a reference. The book is broken into three sections. The first section emphasizes the cost of security and how cost should be directly related to the value of the system(s) or data being secured. Spending $60,000 to secure data valued at less than $100 is not a good idea. It's an inefficient use of scarce resources (time and money). The book encourages implementing an appropriate level of security, no more and no less. Secure installation and install tweaks are also covered in this section. The second section covers implementation of services in detail. DNS, mail, Web, etc. Firewalls are discussed in depth along with the particulars of PF and IPFW. Differences between FreeBSD jails and chrooted environments on OpenBSD systems are clearly explained. Traditional Unix servers such as Sendmail, BIND and Apache are covered in depth, however, alternative (and arguably more secure) servers are covered as well... using software such as djbdns, postfix, qmail and thttpd in place of the more traditional solutions are described. The third section goes over auditing, logging and incident response. From setting-up a secure log server to responding to break-ins. How to triage and decide how many resources should be spent on responses. Again, the book emphasizes an appropriate, cost-effective response. Resources are limited and both time and money should be used wisely. In conclusion, Mastering FreeBSD and OpenBSD Security is a worthwhile book. It covers BSD security topics (in detail) that are not often seen in books. It's a good read and a good reference written in a terse manner that gets the points across without being overly verbose... unlike many technical books on the market today.

Mastering FreeBSD and OpenBSD Security (MFAOS) more or less delivers on its subtitle: "Building, securing, and maintaining BSD systems." The book is chock full of absolutely sound administration advice from three experts with plenty of operational experience. I am also thrilled whenever I find a new BSD title on bookshelves. However, I believe a second edition of this book should be radically altered to better deliver value to the reader. Note: I am in a somewhat awkward position as I write this review, since I know one of the authors as a fellow local security professional. I've spoken at a conference he organizes and I even have all three authors' signatures on my copy of MFAOS! Still, I hope they will consider incorporating my ideas when O'Reilly asks for a second edition. First, I think MFAOS:2E should address FreeBSD, OpenBSD, and NetBSD. It's appropriate to read a book only about ONE of the BSDs, or all three of the BSDs. It's odd to cover FreeBSD and OpenBSD but not NetBSD. I think DragonFly BSD's miniscule userbase puts it on the fringe, and Mac OS X is not BSD. Second, the authors should rigorously concentrate on covering BSD-specific administration and security issues. I do not need to read about generic security issues in Ch 1, or standard DNS/Mail/Web attacks in Chs 5/6/7. I definitely did not need YASD (Yet Another Snort Doc) in Ch 9 -- especially when ACID is explained as the console of choice. (BASE replaced ACID in Sep 04). I do not need the advice on incident response and forensics found in Ch 11. MFAOS should be a more of a BSD book and less of a security book. Removing all of this generic material in a second edition would provide room to focus on BSD-specific material not found elsewhere. For example, Dru Lavigne's briefer, older, all-BSD book BSD Hacks gives more information on FreeBSD's Mandatory Access Controls than MFAOS -- and MFAOS is a BSD security book. I would have liked more details on building FreeBSD jails, especially with respect to creating a local package builder. While reading MFAOS, I frequently felt the authors did not provide enough details on the subjects I felt were different from multi-platform Unix books. For example, why write five pages on Nagios in Ch 4 if that information really isn't enough to do anything useful? It seemed the authors assumed many of their brief discussions of useful behavior was sufficient for the reader. In reality, I probably wouldn't be reading the book if I could get by on the information provided; I'd be implementing on my own. For example, the authors devote 3 1/2 pages in Ch 4 to using CVS to track changes to configuration files. While not BSD-specific, this is the sort of good practice not frequently covered elsewhere. Yet, when I hoped for more advanced discussions I see the phrase "beyond the scope of this book" on p 136. I was disappointed that Qmail was ignored in Ch 6, even though Djbdns was addressed in Ch 5. Furthermore, when the au

Another tight O'Reilly work. The text is tight. The illustrations are simple but effective. And the authors obviously know there stuff and have done a thorough job documenting it. It's an easy read that will help you far more than the crummy Unix documentation. A good introduction as well as a long term resource.

If you are looking at implementing one of the BSD distributions of Linux and want to secure your installation this book is an excellent choice. The authors cover the basic security that applies to all Linux distributions such as filesystem security and creating a sandbox, and then follows up with security options specific to BSD. The chapters cover installation, secure administration, creating a secure DNS server, secure mail servers (including Sendmail, Postfix, and qmail), secure web server, firewalls, intrusion detection, system auditing and incident response, and some forensics. However, the forensics information provides a decent overview without being detailed enough to be very useful. The authors do a really good job of explaining not only how to do various tasks but also the reasoning behind it and how it works to resolve specific problems. I like the fact that the authors don't do this in a piecemeal approach but provide a pathway to get to the system hardened before heading off into the specifics of harding particular services link DNS and Sendmail. They actually have a step by step procedure starting from a fresh install. This alone makes this one of the better books on hardening FreeBSD and OpenBSD. Mastering FreeBSD and OpenBSD Security is highly recommended.

O'Reilly Mastering FreeBSD and OpenBSD Security By Yanek Korff, Paco Hope, Bruce Potter First Edition March 2005 ISBN: 0-596-00626-8 464 pages, $49.95 US http://www.oreilly.com/catalog/mfreeopenbsd/ This book has been long awaited as the *BSD community has been lacking the number of security geared books compared to the Linux and Windows communities. I found that this book is almost the equal of "Linux Server Security", but for OpenBSD and FreeBSD. With OpenBSD being said to be one of the most secure operating systems, you would think there would be more books about the security other than the normal online documentation. I'm glad O'Reilly finally put out this book as it covers a broad area of security within OpenBSD and FreeBSD. This covers *BSD basics, initial install and hardening of the specific OS, security practices, running secure servers (DNS, Mail, Web), firewall, intrusion detection, system audits, incident response, and forensics. This is a broad coverage of security, but I wish on some of the specifics they would have went into detail discussing. Some points I wish were added in detail was coverage on OpenNTPD's security and/or atleast mentioning that it is contained within OpenBSD. Another would be more coverage of Qmail on FreeBSD/OpenBSD as there really wasn't much more than a mention of Qmail and basic information. Compared to the details given to Sendmail and Postfix, Qmail info was really slacking. The last point I would like to mention that I found lacking was possibly a more in-depth guide to CARP and what it's capable of doing. The main thing dealing with CARP that I would have liked to see would be about load balancing firewalls using CARP and PFSYNC. Other than these few minor lacking areas, I found this book to be great addition to other security books based around general Linux and BSD servers. I almost wish this book would have waited a little while longer before releasing or hope they plan an update soon as OpenBSD 3.7 is scheduled for release on May 19th and this book mainly just covers versions 3.5/3.6 for OpenBSD. Along with the new version of OpenBSD releasing, FreeBSD 5.4 was released not long after this book was published. Even lacking the parts that it does, I enjoyed reading the sections about DJBDNS comparison to BIND with details of the specifics. On top of this, there is enough information to get anyone with general *nix knowledge going with a OpenBSD/FreeBSD firewall or secure server. By no means is this book the answer to first time OpenBSD/FreeBSD system administrators to learn the basics from, but seems to be more geared for those atleast somewhat familiar with the *BSD feel of things and aware of what's going on inside their machine. In the beginning of the book it mentions this book was written "by system administrators for system administrators". For someone just getting started with OpenBSD I'd recommend this book, but also would recommend picking up Absolute OpenBSD (http://www.oreilly.com/c