Hey, I will avoid repeating what has already been said, but there has been a point which has not been made which is the security models of OpenBSD and Linux are fundamentally different.
Linux relies entirely through security in layers. This is not a bad thing, in fact this is one of the many tips for good security. Meanwhile OpenBSD puts emphasis on writing secure, maintainable code, proactive security (constantly auditing and improving the code, which is only possible because of the smaller codebases). Linux is a massive kernel, much bigger than OpenBSD, this makes it much harder to audit. Unlike BSDs, Linux is just a kernel, so then you also need to bare in mind the numerous flavours of userspaces which can be used, usually GNU coreutils, glibc and systemd for init. All 3 of these are huge codebases, and large and more difficult to audit. (and the fact that its all in different source trees makes things that bit harder, its all duct taped together instead of being a single cohesive system) Linux however, does have security mechanisms, MAC implementations like SELinux are common, especially in RHEL and its derivatives, something OpenBSD developers have opposed due to the complexity and the constant breakages of MAC security policies which end up with most people disabling or not properly enforcing it. OpenBSD stands by the idea of security by default, so if people have to set up additional security measures, like SELinux, it is not by default, especially if they have to intervene to fix security policies. For this reason pledge/unveil syscalls exist on OpenBSD, moving the burden of locking down a service onto the developer, instead of the user. Linux also has heavy use of containers, LXC/LXD/Incus is popular, but in modern day Linux docker/podman/kubernetes have become the industry standard. All of these layers have vast codebases with tons of features which you likely will never use, but provide surface area for attacks. The best way I can easily explain the comparison between the two is an analogy about a skyscraper. OpenBSD ensures that the foundations (the base system, userspace + kernel) is rock solid, secure and maintainable, and then the rest of the system is built up on that (the port tree, which is mostly third party code). Linux however has quite a weak foundation, lots of features, lots of code, difficult to secure. To remedy this, Linux puts lots of layers on top of this, whether its SELinux, or some big containerisation daemon. IMO, and I am sure a lot of people here will agree, having a weak foundation ends up with all your security stack falling down around you. Having a solid foundation to work on, and then building up layers on top of that, such as using chroots, or if your server has the resources, running additional OpenBSD systems to separate services using vmm. For this reason, I would always trust OpenBSD over Linux, as I feel Linux focuses too much on trying to mitigate vulnerabilities, instead of trying to prevent them occurring in the first place. Hope this gives you some insight on my reasoning for choosing OpenBSD. As a side note on other BSDs, I would still argue even though they are not security focused that they are a better bet for security than Linux because separating the base from ports (packages) allows for a more solid and easier to maintain base system, it makes it much easier to apply security patches as well, in general a port can be restarted without a reboot, a patch to base needs rebooting, this separation allows you to balance uptime with ensuring security patches actually get loaded, something which is difficult to do on Linux as kernel patches and pulled in with general software updates. Also to my knowledge, all BSDs when you compare their SLOC with Linux + systemd + GNU coreutils, BSDs are far smaller, and far less complex, therefore far less attack surface area. Take care, -- Polarian Jabber/XMPP: [email protected]
