1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
|
<?xml version="1.0" encoding="iso-8859-1" standalone="no"?>
<!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook XML V4.2-Based Extension//EN"
"../../../share/xml/freebsd42.dtd" [
<!ENTITY % entities PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Entity Set//EN" "../../share/xml/entities.ent">
%entities;
]>
<!--
Copyright (c) 2005 Dru Lavigne
Redistribution and use in source (SGML DocBook) and 'compiled' forms
(SGML, HTML, PDF, PostScript, RTF and so forth) with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code (SGML DocBook) must retain the above
copyright notice, this list of conditions and the following
disclaimer as the first lines of this file unmodified.
2. Redistributions in compiled form (transformed to other DTDs,
converted to PDF, PostScript, RTF and other formats) must reproduce
the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials
provided with the distribution.
THIS DOCUMENTATION IS PROVIDED BY THE FREEBSD DOCUMENTATION PROJECT "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NIK CLAYTON BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
$FreeBSD$
-->
<article lang='en'>
<articleinfo>
<title>FreeBSD: An Open Source Alternative to Linux</title>
<author>
<firstname>Dru</firstname>
<surname>Lavigne</surname>
<affiliation>
<address><email>dru@isecom.org</email></address>
</affiliation>
</author>
<copyright>
<year>2005</year>
<holder role="mailto:dru@isecom.org">Dru Lavigne</holder>
</copyright>
<pubdate>$FreeBSD$</pubdate>
<releaseinfo>$FreeBSD$</releaseinfo>
<legalnotice id="trademarks" role="trademarks">
&tm-attrib.freebsd;
&tm-attrib.linux;
&tm-attrib.unix;
&tm-attrib.general;
</legalnotice>
&legalnotice;
<abstract>
<para>The objective of this whitepaper is to explain some of the
features and benefits provided by &os;, and where
applicable, compare those features to &linux;. This paper
provides a starting point for those interested in exploring
Open Source alternatives to &linux;.</para>
</abstract>
</articleinfo>
<sect1 id="introduction">
<title>Introduction</title>
<para>&os; is a &unix; like operating system based on the
Berkeley Software Distribution. While &os; and &linux; are
commonly perceived as being very similar, there are differences:</para>
<orderedlist>
<listitem>
<para>&linux; itself is a kernel. Distributions (e.g. Red Hat,
Debian, Suse and others) provide the installer and the
utilities available to the user. http://www.linux.org/dist
lists well over 300 distinct distributions. While giving
the user maximum flexibility, the existence of so many
distributions also increases the difficulty of transferring
one's skills from one distribution to another. Distributions
don't just differ in ease-of install and available programs;
they also differ in directory layout, available shells and
window managers, and software installation and patching
routines.</para>
<para>&os; is a complete operating system (kernel and
userland) with a well-respected heritage grounded in the
roots of Unix development.
<footnote>
<para>See also <ulink
url="http://www.oreilly.com/catalog/opensources/book/kirkmck.html"></ulink>
for a brief history.</para>
</footnote>
Since both the kernel and the
provided utilities are under the control of the same release
engineering team, there is less likelihood of library
incompatibilities. Security vulnerabilities can also be
addressed quickly by the security team. When new utilities
or kernel features are added, the user simply needs to read
one file, the Release Notes, which is publicly available on
the main page of the <ulink
url="http://www.FreeBSD.org">&os; website</ulink>.</para>
</listitem>
<listitem>
<para>&os; has a large and well organized programming base
which ensures changes are implemented quickly and in a
controlled manner. There are several thousand programmers
who contribute code on a regular basis but only about 300 of
these have what is known as a commit bit and can actually
commit changes to the kernel, utilities and official
documentation. A release engineering team provides quality
control and a security officer team is responsible for
responding to security incidents. In addition, there is an
elected core group of 8 senior committers who set the
overall direction of the Project.</para>
<para>In contrast, changes to the Linux kernel ultimately have
to wait until they pass through the maintainer of kernel
source, Linus Torvalds. How changes to distributions occur
can vary widely, depending upon the size of each particular
distribution's programming base and organizational method.</para>
</listitem>
<listitem>
<para>While both &os; and &linux; use an Open Source
licensing model, the actual licenses used differ. The Linux
kernel is under the <ulink url="http://www.opensource.org/licenses/gpl-license.php">GPL license</ulink> while
&os; uses the <ulink url="http://www.opensource.org/licenses/bsd-license.php">BSD license</ulink>. These,
and other Open Source licenses, are described in more detail
at the website of the <ulink url="http://www.opensource.org/licenses/">Open Source
Initiative</ulink>.</para>
<para>The driving philosophy behind the GPL is to ensure that
code remains Open Source; it does this by placing
restrictions on the distribution of GPLd code. In contrast,
the BSD license places no such restrictions, which gives you
the flexibility of keeping the code Open Source or closing
the code for a proprietary commercial product.
<footnote>
<para>For a fairly unbiased view of the merits of each
license, see <ulink
url="http://en.wikipedia.org/wiki/BSD_and_GPL_licensing"></ulink>.</para>
</footnote>
Having
stable and reliable code under the attractive BSD license
means that many operating systems, such as <ulink url="http://developer.apple.com/darwin/projects/darwin/faq.html">Apple OS X</ulink>
are based on FreeBSD code. It also means that if you choose
to use BSD licensed code in your own projects, you can do so
without threat of future legal liability.</para>
</listitem>
</orderedlist>
</sect1>
<sect1 id="freebsd-features">
<title>&os; Features</title>
<sect2 id="freebsd-features-platforms">
<title>Supported Platforms</title>
<para>&os; has gained a reputation as a secure, stable,
operating system for the &intel; (&i386;) platform. However,
&os; also supports the following architectures:</para>
<itemizedlist>
<listitem><simpara>alpha</simpara></listitem>
<listitem><simpara>amd64</simpara></listitem>
<listitem><simpara>ia64</simpara></listitem>
<listitem><simpara>&i386;</simpara></listitem>
<listitem><simpara>pc98</simpara></listitem>
<listitem><simpara>&sparc64;</simpara></listitem>
</itemizedlist>
<para>In addition, there is ongoing development to port &os;
to the following architectures:</para>
<itemizedlist>
<listitem><simpara>&arm;</simpara></listitem>
<listitem><simpara>&mips;</simpara></listitem>
<listitem><simpara>&powerpc;</simpara></listitem>
</itemizedlist>
<para>Up-to-date hardware lists are maintained for each
architecture so you can tell at a glance if your hardware is
supported. For servers, there is excellent hardware RAID and
network interface support.</para>
<para>&os; also makes a great workstation and laptop
operating system! It supports the X Window System, the same
one used in &linux; distributions to provide a desktop user
interface. It also supports over 13,000 easy to install
third-party applications,
<footnote>
<para>Using <ulink url="&url.base;/ports">FreeBSD's ports
collection</ulink>: software installation is as easy as
<command>pkg_add -r application_name</command>.</para>
</footnote>
including KDE, Gnome, and
OpenOffice.</para>
<para>Several projects are available to ease the installation of
&os; as a desktop. The most notable are:</para>
<itemizedlist>
<listitem><para><ulink
url="http://www.desktopbsd.net">DesktopBSD</ulink> which
aims at being a stable and powerful operating system for
desktop users.</para></listitem>
<listitem><para><ulink
url="http://www.freesbie.org">FreeSBIE</ulink> which
provides a LiveCD of &os;.</para></listitem>
<listitem><para><ulink
url="http://www.pcbsd.com">PC-BSD</ulink> which provides an
easy-to-use GUI installer for &os; aimed at the desktop
user.</para></listitem>
</itemizedlist>
</sect2>
<sect2 id="freebsd-features-frameworks">
<title>Extensible Frameworks</title>
<para>&os; provides many extensible frameworks to easily
allow you to customize the FreeBSD environment to your
particular needs. Some of the major frameworks are:</para>
<variablelist>
<varlistentry>
<term>Netgraph</term>
<listitem><para>Netgraph is a modular networking subsystem that
can be used to supplement the existing kernel networking
infrastructure. Hooks are provided to allow developers to
derive their own modules. As a result, rapid prototyping and
production deployment of enhanced network services can be
performed far more easily and with fewer bugs. Many existing
operational modules ship with FreeBSD and include support for:</para>
<itemizedlist>
<listitem><para>PPPoE</para></listitem>
<listitem><para>ATM</para></listitem>
<listitem><para>ISDN</para></listitem>
<listitem><para>Bluetooth</para></listitem>
<listitem><para>HDLC</para></listitem>
<listitem><para>EtherChannel</para></listitem>
<listitem><para>Frame Relay</para></listitem>
<listitem><para>L2TP, just to name a few.</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>GEOM</term>
<listitem><para>GEOM is a modular disk I/O request
transformation framework. Since it is a pluggable storage
layer, it permits new storage services to be quickly developed
and cleanly integrated into the FreeBSD storage
subsystem. Some examples where this can be useful are:</para>
<itemizedlist>
<listitem><para>Creating RAID solutions.</para></listitem>
<listitem><para>Providing full-blown cryptographic protection of stored data.</para></listitem>
</itemizedlist>
<para>Newer versions of FreeBSD provide many administrative
utilities to use the existing GEOM modules. For example, one
can create a disk mirror using &man.gmirror.8;, a stripe
using &man.gstripe.8;, and a shared secret device using
&man.gshsec.8;.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>GBDE</term>
<listitem><para>GBDE, or GEOM Based Disk Encryption, provides
strong cryptographic protection and can protect file systems,
swap devices, and other uses of storage media. In addition,
GBDE transparently encrypts entire file systems, not just
individual files. No cleartext ever touches the hard drive's
platter.</para></listitem>
</varlistentry>
<varlistentry>
<term>MAC</term>
<listitem><para><ulink url="&url.base;/doc/en_US.ISO8859-1/books/handbook/mac.html">MAC</ulink>,
or Mandatory Access Control, provides fine-tuned access to
files and is meant to augment traditional operating system
authorization provided by file permissions. Since MAC is
implemented as a modular framework, a FreeBSD system can be
configured for any required policy varying from HIPAA
compliance to the needs of a military-grade system.</para>
<para>&os; ships with modules to implement the following
policies; however the framework allows you to develop any
required policy:</para>
<itemizedlist>
<listitem><para>Biba integrity model</para></listitem>
<listitem><para>Port ACLs</para></listitem>
<listitem><para>MLS or Multi-Level Security confidentiality policy</para></listitem>
<listitem><para>LOMAC or Low-watermark Mandatory Access Control data integrity policy</para></listitem>
<listitem><para>Process partition policy</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM</term>
<listitem><para>Like &linux;, &os; provides support for <ulink url="&url.base;/doc/en_US.ISO8859-1/articles/pam/">PAM</ulink>,
Pluggable Authentication Modules. This allows an administrator
to augment the traditional &unix; username/password
authentication model. &os; provides modules to integrate
into many authentication mechanisms, including:</para>
<itemizedlist>
<listitem><para>Kerberos 5</para></listitem>
<listitem><para>OPIE</para></listitem>
<listitem><para>RADIUS</para></listitem>
<listitem><para>TACACS+</para></listitem>
</itemizedlist>
<para>It also allows the administrator to define policies to
control authentication issues such as the quality of
user-chosen passwords.</para>
</listitem>
</varlistentry>
</variablelist>
</sect2>
</sect1>
<sect1 id="freebsd-security">
<title>Security</title>
<para>Security is very important to the <ulink
url="&url.base;/doc/en_US.ISO8859-1/articles/releng/">FreeBSD
Release
Engineering Team</ulink>. This
manifests itself in several concrete areas:</para>
<itemizedlist>
<listitem><para>All security incidents and fixes pass through the
Security Team and are issued as publicly available
Advisories. The Security Team has a reputation for quickly
resolving known security issues. Full information regarding
FreeBSD's security handling procedures and where to find
security information is available at
<ulink url="http://www.FreeBSD.org/security/"></ulink>.</para></listitem>
<listitem><para>One of the problems associated with Open Source
software is the sheer volume of available applications. There
are literally tens of thousands of Open Source application projects
each with varying levels of responsiveness to security
incidents. &os; has met this challenge head-on with <ulink
url="http://www.vuxml.org/freebsd/">VuXML</ulink>. All software
shipped with the FreeBSD operating system as well any software
available in the <ulink
url="&url.base;/ports/">Ports Collection</ulink>
is compared to a database of known, unresolved
vulnerabilities. An administrator can use the &man.portaudit.1;
utility to quickly determine if any software on a &os;
system is vulnerable, and if so, receive a description of the
problem and an URL containing a more detailed vulnerability
description.</para></listitem>
</itemizedlist>
<para>&os; also provides many mechanisms which allow an
administrator to tune the operating system to meet his security
needs:</para>
<itemizedlist>
<listitem><para>The &man.jail.8; utility allows an administrator
to imprison a process; this is ideal for applications which
don't provide their own chroot environment.</para></listitem>
<listitem><para>The &man.chflags.1; utility augments the
security provided by traditional Unix permissions. It can, for
example, prevent specified files from being modified or
deleted by even the superuser.</para></listitem>
<listitem><para>&os; provides 3 built-in stateful, NAT-aware
firewalls, allowing the flexibility of choosing the ruleset
most appropriate to one's security needs.</para></listitem>
<listitem><para>The &os; kernel is easily modified, allowing an
administrator to strip out unneeded functionality. &os;
also supports kernel loadable modules and provides utilities
to view, load and unload kernel modules.</para></listitem>
<listitem><para>The sysctl mechanism allows an administrator to view
and change kernel state on-the-fly without requiring a
reboot.</para></listitem>
</itemizedlist>
</sect1>
<sect1 id="freebsd-support">
<title>Support</title>
<para>Like &linux;, &os; offers many venues for support, both
freely available and commercial.</para>
<sect2 id="freebsd-support-free">
<title>Free Offerings</title>
<itemizedlist>
<listitem><para>&os; is one of the best documented
operating systems, and the documentation is available both
as part of the operating system and on the Internet. Manual
pages are clear, concise and provide working
examples. <ulink
url="&url.base;/doc/en_US.ISO8859-1/books/handbook/">
The FreeBSD Handbook</ulink>
provides background information and configuration examples
for nearly every task one would wish to complete using
&os;.</para></listitem>
<listitem><para>&os; provides many support <ulink
url="&url.base;/doc/en_US.ISO8859-1/books/handbook/eresources.html#ERESOURCES-MAIL">mailing
lists</ulink>.
where answers are archived and fully searchable. If you have
a question that wasn't addressed by the Handbook, it most
likely has already been answered on a mailing list. The
Handbook and mailing lists are also available in several
languages, all of which are easily accessible from
<ulink url="http://www.FreeBSD.org"></ulink>.</para></listitem>
<listitem><para>There are many FreeBSD IRC channels, forums
and user groups. See <ulink
url="http://www.FreeBSD.org/support.html"></ulink> for a
selection.</para></listitem>
</itemizedlist>
<para>If you're looking for a &os; administrator, developer
or support personnel, send a job description which includes
geographic location to <email>freebsd-jobs@FreeBSD.org</email>.</para>
</sect2>
<sect2 id="freebsd-support-commercial">
<title>Commercial Offerings</title>
<para>There are many vendors who provide commercial &os;
support. Resources for finding a vendor near you
include:</para>
<itemizedlist>
<listitem><para>The Commercial Vendors page at the &os;
site: <ulink
url="http://www.FreeBSD.org/commercial/"></ulink></para></listitem>
<listitem><para>FreeBSDMall, who have been selling support contracts
for nearly 10 years.
<ulink url="http://www.freebsdmall.com"></ulink></para></listitem>
<listitem><para>The BSDTracker Database at: <ulink
url="http://www.nycbug.org/index.php?NAV=BSDTracker"></ulink></para></listitem>
</itemizedlist>
<para>There is also an initiative to provide certification of BSD
system administrators. <ulink
url="http://www.bsdcertification.org"></ulink>.</para>
<para>If your project requires Common Criteria certification,
&os; includes the <ulink
url="http://www.trustedbsd.org">TrustedBSD</ulink> MAC
framework to ease the certification process.</para>
</sect2>
</sect1>
<sect1 id="freebsd-advantages">
<title>Advantages to Choosing &os;</title>
<para>There are many advantages to including &os; solutions in
your IT infrastructure:</para>
<itemizedlist>
<listitem><para>&os; is well documented and follows many
standards. This allows your existing intermediate and advanced
system administrators to quickly transfer their existing Linux
and Unix skillsets to FreeBSD administration.</para></listitem>
<listitem><para>In-house developers have full access to all
FreeBSD code
<footnote>
<para>In addition, all code is browsable through a
web-interface: <ulink
url="http://www.FreeBSD.org/cgi/cvsweb.cgi/"></ulink>.</para>
</footnote>
for all releases going back to the original
&os; release. Included with the code are all of the log
messages which provide context to changes and
bug fixes. Additionally, a developer can easily replicate any
release by simply checking out the code with the desired
label. In contrast, &linux; traditionally didn't follow this
model, but has recently adopted a more mature development
model.
<footnote>
<para>An interesting overview of the evolving Linux
development model can be found at <ulink
url="http://linuxdevices.com/articles/AT4155251624.html"></ulink>.</para>
</footnote>
</para></listitem>
<listitem><para>In-house developers also have full access to
FreeBSD's <ulink
url="http://www.gnu.org/software/gnats/">GNATS</ulink>
bug-tracking database. They are able to query and track
existing bugs as well as submit their own patches for approval
and possible committal into the FreeBSD base code.
<ulink url="http://www.FreeBSD.org/support.html#gnats"></ulink></para></listitem>
<listitem><para>The BSD license allows you to freely modify the
code to suit your business purposes. Unlike the GPL, there are
no restrictions on how you choose to distribute the resulting
software.</para></listitem>
</itemizedlist>
</sect1>
<sect1 id="freebsd-conclusion">
<title>Conclusion</title>
<para>&os; is a mature &unix;-like operating system which
includes many of the features one would expect in a modern &unix;
system. For those wishing to incorporate an Open Source solution
in their existing infrastructure, &os; is an excellent choice
indeed.</para>
</sect1>
</article>
|