Monitoring OpenBSD with Grafana and Prometheus.
With any deployment of OpenBSD, it is always advisable to have some sort of monitoring enabled... Last week, I ended up moving over to a Grafana dashboard with prometheus as the monitoring system...
https://www.findelabs.com/post/grafana-prometheus-monitoring-openbsd/
#grafana #prometheus #monitoring
With any deployment of OpenBSD, it is always advisable to have some sort of monitoring enabled... Last week, I ended up moving over to a Grafana dashboard with prometheus as the monitoring system...
https://www.findelabs.com/post/grafana-prometheus-monitoring-openbsd/
#grafana #prometheus #monitoring
Vulnerabilities(?) in OpenBSD's hypervisor.
Three things are wrong:
1) The RO protections are not enforced, so the guest could have data be written to a GPA it can only access as RO.
2) If 'pvclock_ti' crosses a page, its second half could point to an HPA that doesn't belong to the guest. The guest can therefore, to some limited extent, overwrite host kernel memory.
3) The pmap is not locked, so if the GPA gets unmapped and its corresponding HPA recycled, there is a small window where the (new) content of the HPA can get overwritten.
https://marc.info/?l=openbsd-tech&m=158176939604512&w=2
#security
Three things are wrong:
1) The RO protections are not enforced, so the guest could have data be written to a GPA it can only access as RO.
2) If 'pvclock_ti' crosses a page, its second half could point to an HPA that doesn't belong to the guest. The guest can therefore, to some limited extent, overwrite host kernel memory.
3) The pmap is not locked, so if the GPA gets unmapped and its corresponding HPA recycled, there is a small window where the (new) content of the HPA can get overwritten.
https://marc.info/?l=openbsd-tech&m=158176939604512&w=2
#security
Configure login(1) and sshd(8) for YubiKey on OpenBSD.
https://rgz.ee/openbsd/yubikey.html
#sshd #yubikey
https://rgz.ee/openbsd/yubikey.html
#sshd #yubikey
The results are in. About 5 billion fuzz cases, a few 10 hours streams, and we found 6 unique bugs in OpenBSD ctags. All with an absolutely garbage fuzzer. Some were pretty tricky (uninit stack use, global overflows), but vecemu was able to detect em!
https://twitter.com/gamozolabs/status/1229379329248784385
https://gist.github.com/gamozolabs/ac79a6d755e44d71f5bf0659a0848265
#security #ctags #fuzzing
https://twitter.com/gamozolabs/status/1229379329248784385
https://gist.github.com/gamozolabs/ac79a6d755e44d71f5bf0659a0848265
#security #ctags #fuzzing
LPE and RCE in OpenSMTPD's default install (CVE-2020-8794).
https://www.openwall.com/lists/oss-security/2020/02/24/5
#opensmtpd #security
https://www.openwall.com/lists/oss-security/2020/02/24/5
#opensmtpd #security
Remote root exploits are now publicly available for LPE and RCE in OpenBSD's OpenSMTPD's default install (CVE-2020-8794).
https://www.openwall.com/lists/oss-security/2020/02/26/1
#security #opensmtpd
https://www.openwall.com/lists/oss-security/2020/02/26/1
#security #opensmtpd
OpenBSD Full Disk Encryption with CoreBoot and Tianocore Payload.
https://functionallyparanoid.com/2020/03/07/openbsd-full-disk-encryption-with-coreboot-and-tianocore-payload/
#encryption #security
https://functionallyparanoid.com/2020/03/07/openbsd-full-disk-encryption-with-coreboot-and-tianocore-payload/
#encryption #security
022: RELIABILITY FIX: March 10, 2020 All architectures
Missing input validation in sysctl(2) can be used to crash the kernel.
023: RELIABILITY FIX: March 13, 2020 All architectures
Local outbound UDP broadcast or multicast packets sent by a spliced socket can crash the kernel.
#security
Missing input validation in sysctl(2) can be used to crash the kernel.
023: RELIABILITY FIX: March 13, 2020 All architectures
Local outbound UDP broadcast or multicast packets sent by a spliced socket can crash the kernel.
#security
My machines are hosted in 3 different places. First is at Exoscale, second is Vultr and the third is... my flat. All of them run either OpenBSD on its -current branch, or the latest version of Ubuntu. At this time, that's Ubuntu 19.10. After a couple of years working on OpenBSD ports (i.e. packaging), I believe fresh software is better, security-wise.
https://chown.me/blog/infrastructure-2019.html
#server
https://chown.me/blog/infrastructure-2019.html
#server
Using OpenBSD relayd to Add Security Headers.
I am a huge fan of OpenBSD’s built-in httpd server as it is simple, secure, and quite performant. With the modern push of the large search providers pushing secure websites, it is now important to add security headers to your website or risk having the search results for your website downgraded. Fortunately, it is very easy to do this when you combine httpd with relayd.
https://goblackcat.com/posts/using-openbsd-relayd-to-add-security-headers/
#relayd
I am a huge fan of OpenBSD’s built-in httpd server as it is simple, secure, and quite performant. With the modern push of the large search providers pushing secure websites, it is now important to add security headers to your website or risk having the search results for your website downgraded. Fortunately, it is very easy to do this when you combine httpd with relayd.
https://goblackcat.com/posts/using-openbsd-relayd-to-add-security-headers/
#relayd
Introduction to doas on OpenBSD.
OpenBSD's alternative to sudo is doas, although it does not work the same way as sudo and requires some configuration...
https://www.vultr.com/docs/introduction-to-doas-on-openbsd
#doas
OpenBSD's alternative to sudo is doas, although it does not work the same way as sudo and requires some configuration...
https://www.vultr.com/docs/introduction-to-doas-on-openbsd
#doas
OpenBSD makes life pretty easy when it comes to securing your web-app...
https://blog.snailtext.com/posts/berkeley-smorgasbord.html
https://blog.snailtext.com/posts/berkeley-smorgasbord-part-2.html
https://blog.snailtext.com/posts/berkeley-smorgasbord.html
https://blog.snailtext.com/posts/berkeley-smorgasbord-part-2.html
Fullstack mailserver based on OpenSMTPD for OpenBSD using ansible
https://github.com/AnsiMail/AnsiMail
#ansible #opensmtpd
https://github.com/AnsiMail/AnsiMail
#ansible #opensmtpd
A privilege separated implementation of WireGuard for OpenBSD.
https://github.com/timkuijsten/wiresep
#wireguard
https://github.com/timkuijsten/wiresep
#wireguard
pf-badhost is a simple, easy to use badhost blocker that uses the power of the pf firewall to block many of the internet's biggest irritants.
https://www.geoghegan.ca/pfbadhost.html
#pf #firewall
https://www.geoghegan.ca/pfbadhost.html
#pf #firewall
OpenBSD's 'spinning' CPU time category.
Unix systems have long had a basic breakdown of what your CPU (or CPUs) was spending its time doing. The traditional division is user time, system time, idle time, and 'nice' time (which is user time for tasks that have their scheduling priority lowered through nice(1) or the equivalent), and then often 'interrupt' time, for how much time the system spent in interrupt handling. Some Unixes have added 'iowait', which is traditionally defined as 'the system was idle but one or more processes were waiting for IO to complete'. OpenBSD doesn't have iowait, but current versions have a new time category, 'spinning'...
https://utcc.utoronto.ca/~cks/space/blog/unix/OpenBSDCpuSpinTime
#cpu #spinning
Unix systems have long had a basic breakdown of what your CPU (or CPUs) was spending its time doing. The traditional division is user time, system time, idle time, and 'nice' time (which is user time for tasks that have their scheduling priority lowered through nice(1) or the equivalent), and then often 'interrupt' time, for how much time the system spent in interrupt handling. Some Unixes have added 'iowait', which is traditionally defined as 'the system was idle but one or more processes were waiting for IO to complete'. OpenBSD doesn't have iowait, but current versions have a new time category, 'spinning'...
https://utcc.utoronto.ca/~cks/space/blog/unix/OpenBSDCpuSpinTime
#cpu #spinning