Podo, Around here I have had to write up "exception" documents for our OpenBSD servers when we get stuff like this on security audit/scans. Imagine the pain in the ass it is to have to convince a non-technical supervisor that the "HIGH LEVEL" vulnerability (that in one case only effected Debian Linux) was already fixed on OpenBSD years before it was ever discovered, and then figure out how to put it all on paper in an intelligent way.
I have found that by looking on sites like security focus for the list of which systems are effected by a given vulnerability and crossing that with the OpenBSD patch download pages for current and previous versions I can usually find where there was a patch that fixed a given vulnerability. It is a bit of work and isn't easy, but it is do-able. This is all made easier in my case because I keep my servers running as close to the base install as possible only adding additional software when I have to because the base install doesn't provide a service or the service it provides doesn't have all the options I need. Then I really look hard to see if I really need that particular option before I look at other software. Happily, my boss gives me some leeway on choosing how to set things up. I have one firewall that is on an external audit/scan list that the people who actually do our audits doesn't believe really even exists because they can't even find it. Basically it has EVERYTHING locked down tight as a drum and allows only a few things through to and from very specific places. I love to show the blank audit page to the boss, esp. just before bonus time. Thanks so much to the OpenBSD project for making me look so good. stuart
