FreeBSD: An Open Source Alternative to LinuxDruLavignedru@isecom.org2005Dru Lavigne$FreeBSD$$FreeBSD$
&tm-attrib.freebsd;
&tm-attrib.linux;
&tm-attrib.unix;
&tm-attrib.general;
&legalnotice;
The objective of this whitepaper is to explain some of the
features and benefits provided by &os;, and where
applicable, compare those features to &linux;. This paper
provides a starting point for those interested in exploring
Open Source alternatives to &linux;.Introduction&os; is a &unix; like operating system based on the
Berkeley Software Distribution. While &os; and &linux; are
commonly perceived as being very similar, there are differences:&linux; itself is a kernel. Distributions (e.g. Red Hat,
Debian, Suse and others) provide the installer and the
utilities available to the user. http://www.linux.org/dist
lists well over 300 distinct distributions. While giving
the user maximum flexibility, the existence of so many
distributions also increases the difficulty of transferring
one's skills from one distribution to another. Distributions
don't just differ in ease-of install and available programs;
they also differ in directory layout, available shells and
window managers, and software installation and patching
routines.&os; is a complete operating system (kernel and
userland) with a well-respected heritage grounded in the
roots of Unix development.
See also http://www.oreilly.com/catalog/opensources/book/kirkmck.html
for a brief history.
Since both the kernel and the
provided utilities are under the control of the same release
engineering team, there is less likelihood of library
incompatibilities. Security vulnerabilities can also be
addressed quickly by the security team. When new utilities
or kernel features are added, the user simply needs to read
one file, the Release Notes, which is publicly available on
the main page of the &os; website.&os; has a large and well organized programming base
which ensures changes are implemented quickly and in a
controlled manner. There are several thousand programmers
who contribute code on a regular basis but only about 300 of
these have what is known as a commit bit and can actually
commit changes to the kernel, utilities and official
documentation. A release engineering team provides quality
control and a security officer team is responsible for
responding to security incidents. In addition, there is an
elected core group of 8 senior committers who set the
overall direction of the Project.In contrast, changes to the Linux kernel ultimately have
to wait until they pass through the maintainer of kernel
source, Linus Torvalds. How changes to distributions occur
can vary widely, depending upon the size of each particular
distribution's programming base and organizational method.While both &os; and &linux; use an Open Source
licensing model, the actual licenses used differ. The Linux
kernel is under the GPL license while
&os; uses the BSD license. These,
and other Open Source licenses, are described in more detail
at the website of the Open Source
Initiative.The driving philosophy behind the GPL is to ensure that
code remains Open Source; it does this by placing
restrictions on the distribution of GPLd code. In contrast,
the BSD license places no such restrictions, which gives you
the flexibility of keeping the code Open Source or closing
the code for a proprietary commercial product.
For a fairly unbiased view of the merits of each
license, see http://en.wikipedia.org/wiki/BSD_and_GPL_licensing.
Having
stable and reliable code under the attractive BSD license
means that many operating systems, such as Apple OS X
are based on FreeBSD code. It also means that if you choose
to use BSD licensed code in your own projects, you can do so
without threat of future legal liability.&os; FeaturesSupported Platforms&os; has gained a reputation as a secure, stable,
operating system for the &intel; (&i386;) platform. However,
&os; also supports the following architectures:amd64ia64&i386;pc98&sparc64;In addition, there is ongoing development to port &os;
to the following architectures:&arm;&mips;&powerpc;Up-to-date hardware lists are maintained for each
architecture so you can tell at a glance if your hardware is
supported. For servers, there is excellent hardware RAID and
network interface support.&os; also makes a great workstation and laptop
operating system! It supports the X Window System, the same
one used in &linux; distributions to provide a desktop user
interface. It also supports over 13,000 easy to install
third-party applications,
Using FreeBSD's ports
collection: software installation is as easy as
pkg_add -r application_name.
including KDE, Gnome, and
OpenOffice.Several projects are available to ease the installation of
&os; as a desktop. The most notable are:DesktopBSD which
aims at being a stable and powerful operating system for
desktop users.FreeSBIE which
provides a LiveCD of &os;.PC-BSD which provides an
easy-to-use GUI installer for &os; aimed at the desktop
user.Extensible Frameworks&os; provides many extensible frameworks to easily
allow you to customize the FreeBSD environment to your
particular needs. Some of the major frameworks are:NetgraphNetgraph is a modular networking subsystem that
can be used to supplement the existing kernel networking
infrastructure. Hooks are provided to allow developers to
derive their own modules. As a result, rapid prototyping and
production deployment of enhanced network services can be
performed far more easily and with fewer bugs. Many existing
operational modules ship with FreeBSD and include support for:PPPoEATMISDNBluetoothHDLCEtherChannelFrame RelayL2TP, just to name a few.GEOMGEOM is a modular disk I/O request
transformation framework. Since it is a pluggable storage
layer, it permits new storage services to be quickly developed
and cleanly integrated into the FreeBSD storage
subsystem. Some examples where this can be useful are:Creating RAID solutions.Providing full-blown cryptographic protection of stored data.Newer versions of FreeBSD provide many administrative
utilities to use the existing GEOM modules. For example, one
can create a disk mirror using &man.gmirror.8;, a stripe
using &man.gstripe.8;, and a shared secret device using
&man.gshsec.8;.GBDEGBDE, or GEOM Based Disk Encryption, provides
strong cryptographic protection and can protect file systems,
swap devices, and other uses of storage media. In addition,
GBDE transparently encrypts entire file systems, not just
individual files. No cleartext ever touches the hard drive's
platter.MACMAC,
or Mandatory Access Control, provides fine-tuned access to
files and is meant to augment traditional operating system
authorization provided by file permissions. Since MAC is
implemented as a modular framework, a FreeBSD system can be
configured for any required policy varying from HIPAA
compliance to the needs of a military-grade system.&os; ships with modules to implement the following
policies; however the framework allows you to develop any
required policy:Biba integrity modelPort ACLsMLS or Multi-Level Security confidentiality policyLOMAC or Low-watermark Mandatory Access Control data integrity policyProcess partition policyPAMLike &linux;, &os; provides support for PAM,
Pluggable Authentication Modules. This allows an administrator
to augment the traditional &unix; username/password
authentication model. &os; provides modules to integrate
into many authentication mechanisms, including:Kerberos 5OPIERADIUSTACACS+It also allows the administrator to define policies to
control authentication issues such as the quality of
user-chosen passwords.SecuritySecurity is very important to the FreeBSD
Release
Engineering Team. This
manifests itself in several concrete areas:All security incidents and fixes pass through the
Security Team and are issued as publicly available
Advisories. The Security Team has a reputation for quickly
resolving known security issues. Full information regarding
FreeBSD's security handling procedures and where to find
security information is available at
http://www.FreeBSD.org/security/.One of the problems associated with Open Source
software is the sheer volume of available applications. There
are literally tens of thousands of Open Source application projects
each with varying levels of responsiveness to security
incidents. &os; has met this challenge head-on with VuXML. All software
shipped with the FreeBSD operating system as well any software
available in the Ports Collection
is compared to a database of known, unresolved
vulnerabilities. An administrator can use the &man.portaudit.1;
utility to quickly determine if any software on a &os;
system is vulnerable, and if so, receive a description of the
problem and an URL containing a more detailed vulnerability
description.&os; also provides many mechanisms which allow an
administrator to tune the operating system to meet his security
needs:The &man.jail.8; utility allows an administrator
to imprison a process; this is ideal for applications which
don't provide their own chroot environment.The &man.chflags.1; utility augments the
security provided by traditional Unix permissions. It can, for
example, prevent specified files from being modified or
deleted by even the superuser.&os; provides 3 built-in stateful, NAT-aware
firewalls, allowing the flexibility of choosing the ruleset
most appropriate to one's security needs.The &os; kernel is easily modified, allowing an
administrator to strip out unneeded functionality. &os;
also supports kernel loadable modules and provides utilities
to view, load and unload kernel modules.The sysctl mechanism allows an administrator to view
and change kernel state on-the-fly without requiring a
reboot.SupportLike &linux;, &os; offers many venues for support, both
freely available and commercial.Free Offerings&os; is one of the best documented
operating systems, and the documentation is available both
as part of the operating system and on the Internet. Manual
pages are clear, concise and provide working
examples.
The FreeBSD Handbook
provides background information and configuration examples
for nearly every task one would wish to complete using
&os;.&os; provides many support mailing
lists.
where answers are archived and fully searchable. If you have
a question that wasn't addressed by the Handbook, it most
likely has already been answered on a mailing list. The
Handbook and mailing lists are also available in several
languages, all of which are easily accessible from
http://www.FreeBSD.org.There are many FreeBSD IRC channels, forums
and user groups. See http://www.FreeBSD.org/support.html for a
selection.If you're looking for a &os; administrator, developer
or support personnel, send a job description which includes
geographic location to freebsd-jobs@FreeBSD.org.Commercial OfferingsThere are many vendors who provide commercial &os;
support. Resources for finding a vendor near you
include:The Commercial Vendors page at the &os;
site: http://www.FreeBSD.org/commercial/FreeBSDMall, who have been selling support contracts
for nearly 10 years.
http://www.freebsdmall.comThe BSDTracker Database at: http://www.nycbug.org/index.php?NAV=BSDTrackerThere is also an initiative to provide certification of BSD
system administrators. http://www.bsdcertification.org.If your project requires Common Criteria certification,
&os; includes the TrustedBSD MAC
framework to ease the certification process.Advantages to Choosing &os;There are many advantages to including &os; solutions in
your IT infrastructure:&os; is well documented and follows many
standards. This allows your existing intermediate and advanced
system administrators to quickly transfer their existing Linux
and Unix skillsets to FreeBSD administration.In-house developers have full access to all
FreeBSD code
In addition, all code is browsable through a
web-interface: http://www.FreeBSD.org/cgi/cvsweb.cgi/.
for all releases going back to the original
&os; release. Included with the code are all of the log
messages which provide context to changes and
bug fixes. Additionally, a developer can easily replicate any
release by simply checking out the code with the desired
label. In contrast, &linux; traditionally didn't follow this
model, but has recently adopted a more mature development
model.
An interesting overview of the evolving Linux
development model can be found at http://linuxdevices.com/articles/AT4155251624.html.In-house developers also have full access to
FreeBSD's GNATS
bug-tracking database. They are able to query and track
existing bugs as well as submit their own patches for approval
and possible committal into the FreeBSD base code.
http://www.FreeBSD.org/support.html#gnatsThe BSD license allows you to freely modify the
code to suit your business purposes. Unlike the GPL, there are
no restrictions on how you choose to distribute the resulting
software.Conclusion&os; is a mature &unix;-like operating system which
includes many of the features one would expect in a modern &unix;
system. For those wishing to incorporate an Open Source solution
in their existing infrastructure, &os; is an excellent choice
indeed.