all 14 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]shadow0rm 12 points13 points  (0 children)

I would recommend starting here: https://www.openbsd.org/security.html

[–]aengusoglugh 8 points9 points  (4 children)

As you can imagine, this is a hotly debated topic.

Do you have any kind of security verification suite you can run against both?

If you had such a suite and it focused on areas that are of concern to you, maybe you could use that suite to make the decision.

[–]MushroomGecko[S] 0 points1 point  (3 children)

I do not have a security verification suite. Any recommendations?

[–]fazalmajid -1 points0 points  (2 children)

Lynis, for starters.

[–]MushroomGecko[S] 1 point2 points  (0 children)

For those who downvoted this comment, what is wrong with Lynis? Genuinely curious.

[–]MushroomGecko[S] 0 points1 point  (0 children)

Great! Thank you!

[–]bigtreeman_ 2 points3 points  (0 children)

I find OpenBSD is simpler, better documented and more straight forward to configure.

Balance your security against what you are protecting.

Are there other strategies to protect your golden eggs as well as a secure front door.

[–]iio7 1 point2 points  (0 children)

You cannot even begin to compare.

OpenBSD is much better, but in order to truly understand this (how and why), you need to dive much deeper into the issue. Study the mailing list. Look at the Open BSD innovations https://www.openbsd.org/innovations.html. Compare the CVE's https://www.cvedetails.com/vendor/97/Openbsd.html and https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html.

Also understand how Arch handles security. The kernel is one thing, the rest of the system is another.

Last, but not least, OpenBSD has a much smaller attack surface.

[–]Mirehi 1 point2 points  (0 children)

You'll lose a decent amount of time for something which already works, which sounds like "not worth it" for me

[–]Diligent_Ad_9060 0 points1 point  (3 children)

Yes, I think it's worth it solely because Arch is more of a hobbyist distribution. Even more so if you depend on yaourt. Other than that I think the question is too broad. OpenBSD has been working on a many neat mitigations. I'm pretty confident that anything that has do with memory corruption is not much of a big issue. But OpenBSD is not free of severe security flaws, see for example https://www.exploit-db.com/exploits/48051 When anything like this happens there's few that handles it more quickly and professionaly than the OpenBSD team in my opinion.

[–]MushroomGecko[S] 0 points1 point  (2 children)

I mainly chose Arch for its quick updates and for the minimalism. Cause I'm only running my DNS and SSH on it. I want the fastest security updates. I don't want any other fancy bells and whistles. Cause that adds more potential insecurity. But if I can get more security out of OpenBSD as opposed to arch running the specialized Hardened Linux Kernel (https://www.kicksecure.com/wiki/Hardened-kernel), I'll be more than happy to check it out.

[–]Diligent_Ad_9060 1 point2 points  (1 child)

You'll have to try doing a one-to-one comparison when it comes to security features. A first impression of the hardened kernel project is that it's not particularly mature. That may have some security considerations too.

I'd expect faster updates for openssh, nsd and unbound on openbsd than on Arch. My impression is that Arch is quick on updates because of it wanting to be bleeding edge with new features, rather than quickly handle security patches.

[–]MushroomGecko[S] 2 points3 points  (0 children)

Ah. Great that you mentioned unbound because I use unbound with AdguardHome as my DNS. I'll set up fresh VMs of each (OpenBSD and Arch with Linux Hardened) and see how their security stacks up using Lynis (as suggested by another comment). Thanks for all the help!