Book: Secure Architectures with OpenBSD
Jose Nazario gave me a copy of Secure Architectures with OpenBSD this summer. I’m way behind with book reviews, and I wanted to start with this one.
I’m a fan of the OpenBSD project. Not only for their efforts around security, but also because they put a great deal of effort into the documentation. I’ve been using OpenBSD for quite some time, and even when I’m on a different unix, I often start with the OpenBSD man pages. However, I do that a former systems administrator. I got my start with SunOS 3 and 4 (not to mention NeXTStep), all of which were BSD operating systems. So I’m very comfortable in the BSDs. Quoting from the introduction:
OpenBSD feels different than many other UNIX systems. Its filesystem layout is more controlled and is designed primarily for security and functionality, rather than to satisfy the needs of the marketing department.
Furthermore, OpenBSD attempts to adhere to its BSD 4.4 roots and do things “the BSD way” when possible. Many commercial and even some other free operating systems have adopted many System V features and characteristics.
If you’re not familiar with the BSD way, it can be confusing and hard to navigate. This book serves as an admirable introduction, giving the reader a roadmap and orientation. If you’re a Linux user, you should get this book, and use it as a guide to OpenBSD. It’s a very nice system, not to mention a way off much of the patching treadmill.
“If you’re not familiar with the BSD way, it can be confusing and hard to navigate.”
Yeah, and if you’re not familiar with the SYSVR4 way, it *will* be confusing and hard to navigate.
Don’t get me started on Linux.
Nazario’s book is good. For the craft of system administration, Limoncelli and Hogan is great. I’ll get off my butt and post about it and a few other favorites in a week or so.
I have mixed feelings about OpenBSD. I think their code review policies and such are excellent. What I dislike is their patch management scheme. They get you “off the patch treadmill” in the sense that you *can’t* really patch the system, unless you want to recompile it all; the only way to get most bugfixes is to do an upgrade of the entire system. I found that awkward and annoying on production systems.