Mastering FreeBSD and OpenBSD Security (MFAOS) more or less delivers on its subtitle: "Building, securing, and maintaining BSD systems." The book is chock full of absolutely sound administration advice from three experts with plenty of operational experience. I am also thrilled whenever I find a new BSD title on bookshelves. However, I believe a second edition of this book should be radically altered to better deliver value to the reader.
Note: I am in a somewhat awkward position as I write this review, since I know one of the authors as a fellow local security professional. I've spoken at a conference he organizes and I even have all three authors' signatures on my copy of MFAOS! Still, I hope they will consider incorporating my ideas when O'Reilly asks for a second edition.
First, I think MFAOS:2E should address FreeBSD, OpenBSD, and NetBSD. It's appropriate to read a book only about ONE of the BSDs, or all three of the BSDs. It's odd to cover FreeBSD and OpenBSD but not NetBSD. I think DragonFly BSD's miniscule userbase puts it on the fringe, and Mac OS X is not BSD.
Second, the authors should rigorously concentrate on covering BSD-specific administration and security issues. I do not need to read about generic security issues in Ch 1, or standard DNS/Mail/Web attacks in Chs 5/6/7. I definitely did not need YASD (Yet Another Snort Doc) in Ch 9 -- especially when ACID is explained as the console of choice. (BASE replaced ACID in Sep 04). I do not need the advice on incident response and forensics found in Ch 11. MFAOS should be a more of a BSD book and less of a security book.
Removing all of this generic material in a second edition would provide room to focus on BSD-specific material not found elsewhere. For example, Dru Lavigne's briefer, older, all-BSD book BSD Hacks gives more information on FreeBSD's Mandatory Access Controls than MFAOS -- and MFAOS is a BSD security book. I would have liked more details on building FreeBSD jails, especially with respect to creating a local package builder.
While reading MFAOS, I frequently felt the authors did not provide enough details on the subjects I felt were different from multi-platform Unix books. For example, why write five pages on Nagios in Ch 4 if that information really isn't enough to do anything useful?
It seemed the authors assumed many of their brief discussions of useful behavior was sufficient for the reader. In reality, I probably wouldn't be reading the book if I could get by on the information provided; I'd be implementing on my own. For example, the authors devote 3 1/2 pages in Ch 4 to using CVS to track changes to configuration files. While not BSD-specific, this is the sort of good practice not frequently covered elsewhere. Yet, when I hoped for more advanced discussions I see the phrase "beyond the scope of this book" on p 136.
I was disappointed that Qmail was ignored in Ch 6, even though Djbdns was addressed in Ch 5. Furthermore, when the authors repeatedly admit that Dan Berstein's software isn't well documented, they should recognize that as an opportunity! Say less on Apache, BIND, etc., and cover the lesser-known but potentially more secure alternatives.
I rate this book highly (four stars) because it's full of good advice. For example, I liked recommendations on using flags, secure levels, and similar topics in Ch 2. I liked the two-tiered Web server architecture in Ch 7, as well as comparisons of IPFW and Pf in Ch 8. You won't find me disagreeing with the authors of this book -- except when they configure Snort to log directly to a database. (Ouch -- that has been bad advice since Barnyard was released in Dec 02.)
A second edition should also keep in mind the binary upgrade and patching tools available since FreeBSD 5.x -- updating via source isn't necessary for many admins these days. Also, if they insist on demonstrating how to set up well-documented servers (DNS/Web/Mail), try picking one app and one BSD. Then thoroughly document setting up the entire system, from install to deployment. Consider providing templates, especially for automated and repeatable installations. Tie them to standards like CISecurity if possible. That would be exceptional.
I wish the authors had directed their talents toward BSD-specific quirks and less on topics covered elsewhere. This is still a solid BSD book, but I would be very glad to see MFAOS:2E take this advice to heart.