Hi,
I'm trying to make a relatively secure computer setup, so I want to try
OpenBSD as the "main" kernel (aka the one that will run on the real
hardware, and that will be the host for the VMs).
I'm coming from Linux (various distros), and I had configured my system
to be immutable: the root system (with apps, settings, users) was built
atomically into a SquashFS (a compressed immutable FS), which would then
be mounted on root via an OverlayFS + tmpfs. Writes would go to memory,
so changes would be erased on reboot.
I think that immutability is a great feature for security, as it
prevents attackers or threats to stay installed on the system. Also, it
ensures predictability and determinism between boots: if you mess
something up, it won't impact future boots.
Does anyone here have some advice/idea/experience on how to do immutable
systems with OpenBSD?
I think I need somthing more complex that read-only mounts: I need to be
able to verify that the root hasn't been altered (by hashing it for
example). I also need write access to the FS, even if it doesn't
persist between reboots.
https://geodsoft.com/howto/harden/OpenBSD/no_changes.htm
Btw, the read-only option for security was mentioned in this blog, and
it seems kind of unsuitable for my purpose (in the blog, the guy had
issues with softwares wanting write access, and other joyful errors)
Something I found that may be part of a solution is `union_mount`. This
seems to be like OverlayFS on Linux. The problem is that the feature
seems to have disapeared from OpenBSD in release 3.8, even if I couldn't
find any mention of it in the changelogs (I may have missed it).
- manpage for 3.7 (exists):
https://man.openbsd.org/OpenBSD-3.7/mount_union
- manpage for 3.8 (doesn't):
https://man.openbsd.org/OpenBSD-3.8/mount_union
- 3.8 changelogs:
https://www.openbsd.org/plus38.html
Yet, even if the feature still exists, I would still be unable to hash
or checksum the FS properly (maybe I could hash a digest of all the
files? what a hacky way!). It's also not as portable as a SquashFS
file.
Lastly, please tell me if my message is too long, or anything else. I'm
trying to be concise and explicit, but it's one of my first time
mail-list-ing :D
---
Pattled Buquor
(absolutely my real name)
No comments:
Post a Comment