As discussed last week, OpenBSD is an operating system with

its focus firmly set on security. Unused services are disabled by default,

continuous auditing of source code takes place, and any bugs discovered are

given full disclosure.

Most exploited vulnerabilities have actually been fixed; the

problem is that not all systems are kept up to date by administrators, either

because they are not aware that a bug and fix exist, or because they simply don’t

know how to apply the fix. Hackers actively search for systems like this. Unpatched

networks are an easy target and can often be compromised without detection, because

a system which is not kept up to date is also likely to be a system which isn’t

closely monitored. As OpenBSD systems are usually chosen to provide Internet

facing services, it’s vital to keep them updated.

So how do you know that a new patch is available and whether

or not it should be applied? The most obvious way to find out about released

patches is to check the errata and patch list on the official OpenBSD website. The release

versions are given their own sections, each containing both Security and

Reliability fixes. A much better way to stay on top of patch releases is to

subscribe to the official security-announce

mailing list. This will mean you are proactively notified when a new

security issue arises, rather than relying on yourself to revisit the errata

page at regular intervals.

You may notice that there are two types of fixes addressed

on the errata pages—Security and Reliability. This is very simple–Security

fixes patch against a bug which has a direct impact on security; it’s vital

that these are applied. Reliability fixes are just that: they address issues that

may affect the reliability of services, but do not pose a direct threat to

security. It isn’t necessary to apply all patches; for example, you may not

want to bother patching against a bug in sendmail if you don’t actually use

sendmail on the system. Needless to say, this also applies on an architectural

level. Why apply a patch which only addresses an issue in the x86_64 source, while

you’re actually running x86?

Patches can be downloaded either individually or as a

package. If you want to download individual patches, they can be found in the /patches/{version}

subdirectory of the main OpenBSD FTP root. A tar.gz package of all current

patches can be found directly in the patches

folder. I personally prefer to download the archive when first installing a

system and then add individual patches as they are released. Don’t forget that

both common and platform-specific patches need to be applied (e.g., both those

in the common and i386 directories).

Before any patches can be applied, the kernel and system

source must be installed on the system (I tend to install this during the

initial system setup). If you don’t have the source installed it’s a very

simple process. Download the files src.tar.gz

and sys.tar.gz from the OpenBSD ftp

mirror of choice. The files are found in the base directory of each

release. If you are using any ports or the X windows system, XF4.tar.gz and

ports.tar.gz should be downloaded from the same location.

We now have all of the information required to patch our

system and make sure it’s as secure as possible. Next week we’ll pick up right where we’ve left

off and start to get our hands dirty.