OpenBSD uses default basic-level security-checks via it's default crontab. For example: Filesystem permission monitoring and fixing.
isabella$ du -h /etc/daily /etc/weekly /etc/monthly
6.0K /etc/daily
2.0K /etc/weekly
2.0K /etc/monthly
isabella$ du -h /usr/libexec/security
26.0K /usr/libexec/security
Crontab local mailer
OpenBSD utilises a local/per-user mail for your Crontabs, it even works with your custom Crontab scripts.
isabella$ mail
Mail version 8.1.2 01/15/2001. Type ? for help.
"/var/mail/isabella": 2 messages 2 unread
>U 1 [email protected] Sat Aug 18 01:31 4096/8192 server.lan daily insecurity output
U 2 [email protected] Sun Aug 19 01:00 1024/2048 Cron /home/isabella/script.sh
fw_update command
OpenBSD utilises the fw_update command to allow you to update the firmware of your devices. This is ran by default at system-startup.
isabella$ doas fw_update
fw_update: add none; update none; keep intel
sysmerge command
OpenBSD utilises the sysmerge command to provide original system configuration-file merging for the base OS.
isabella$ doas sysmerge
syspatch command
OpenBSD utilises the syspatch command to provide security patches to the base OS.
isabella$ doas syspatch
Get/Verify syspatch76-001_unbound... 100% |*****************************************************| 2836 KB 00:00
Installing patch 001_unbound
Errata can be reviewed under /var/syspatch
sysupgrade command
OpenBSD utilises the sysupgrade command to provide easy and stable system release upgrades to the base OS. For example: 7.5 to 7.6.
isabella$ sysupgrade
Fetching from https://mirror.laylo.nl/pub/OpenBSD//7.7/amd64/
sysupgrade: Error retrieving https://mirror.laylo.nl/pub/OpenBSD//7.7/amd64/SHA256.sig: 404 Not Found
Fetching from https://mirror.laylo.nl/pub/OpenBSD//7.6/amd64/
SHA256.sig 100% |*****************************************************************************| 2324 00:00
Signature Verified
Already on latest release.
pkg command suite
OpenBSD has a suite of commands related to it's pkg (user packages) system. For example: pkg_add, pkg_delete, etc.
pkg_add -vUu will perform an update of the user-packages in verbose.
pkg_delete -a will remove any unneeded depencies. Useful after uninstalling a package (pkg_delete <package-name>).
Xenocara instead of Xorg
OpenBSD uses it's own release of Xorg based on X11R7.7 packaged as xbase<rel>.tgz, xfont<rel>.tgz, xserv<rel>.tgz and xshare<rel>.tgz with custom patches and utilises a dedicated _x11 user by default to drop privileges and perform privilege separation in accordance to OpenBSD's "least privilege" policy.
Xenocara also includes it's own Display Manager xenodm with easily customisable configurations found in /etc/X11/xenodm/.
OpenBSD's own releases of cwm, fvwm and twm are found in the base pacakge-sets but you can also install other Window Managers or a Desktop Environment.
Here is a screenshot of my laptop running KDE Plasma 6 on OpenBSD 7.6.
