Man Page Lookup - stephanie

STEPHANIE(7)               OpenBSD Reference Manual               STEPHANIE(7)

NAME
     stephanie - Overview of Stephanie for OpenBSD 3.6

DESCRIPTION
     Stephanie for OpenBSD 3.6 adds some features, mostly security related, to
     the OpenBSD kernel. These features and their basic usage will be de-
     scribed below.

     Features in Stephanie for OpenBSD 3.6 are:
     -   System trust list
     -   Trusted path execution
     -   Vexec: Binary integrity
     -   Process privacy
     -   Userland privacy

System trust list
     Stephanie maintains a trust list for users between "wheel" and "normal"
     to allow you maintain groups of users who can perform operations which
     normal users, without providing them with the benefits of being in the
     wheel group. The trust list is plugged into various Stephanie components.

     The trust list is a group on the system. This allows more flexibility in
     managing multiple trust lists. Caution to avoid race conditions and priv-
     ilege escalation (forks, setuid, etc.)  had been taken.

     To set the trust list set the "trust_gid" parameter to the group-ID of
     the wanted group:

             # sysctl -w kern.security.trust_gid=1337

     To disable the trust list, set it to -1:

             # sysctl -w kern.security.trust_gid=-1

     By default, the trust list is disabled.

Trusted path execution (TPE)
     TPE makes sure users are only allowed to execute programs located in
     trusted location -- directories owned by root, and writable neither by
     group or other.

     The superuser and trusted users are allowed to bypass this restriction.

     TPE is enabled by default. To disable it:

             # sysctl -w kern.security.tpe=0

Vexec
     Vexec, rewritten in this Stephanie version, loads a list of digital fin-
     gerprints of files to the kernel and verifies them upon access.  Means to
     speed-up list searching had been taken. (the use of hash tables and vnode
     fingerprint status caching)

     Loading fingerprints can be done only in single-user mode using the
     vexecctl(8) utility.

     A shell script, fpgen.sh, is provided to make the job of generating a
     system-wide fingerprint file a lot easier.

     Some of Vexec is also used in conjunction with the TPE code, namely to
     load a list of executables that are interpreters/shells. On interpreters
     indirect execution is enforced; on both the arguments that resolve to
     pathnames are verified for trusted-path.

     To use Vexec you may want to add the following to /etc/rc.securelevel:

             if [ -e /etc/vexec.conf ]; then
                     /usr/local/sbin/vexecctl /etc/vexec.conf
             fi

Process privacy
     When enabled, process privacy will add some sort of privacy to the system
     by preventing the retrieval of information about processes by users who
     don't own them.

     Procfs hooks also exist, and when turned on, newly mounted procfs file-
     systems will have their permission bits slightly modified, preventing
     read from group/other users.

     The superuser is allowed to bypass the privacy restrictions. Trusted
     users can be allowed to bypass these restrictions aswell by setting the
     trust override flag:

             # sysctl -w kern.security.trust_override=1

     By default, process privacy is enabled. To disable it:

             # sysctl -w kern.security.privacy.op=0

     To enable the (disabled by default) procfs hooks:

             # sysctl -w kern.security.privacy.procfs=1

Userland privacy
     New in Stephanie for OpenBSD 3.6 are userland privacy hooks. These do
     filtering of information from userland programs depending on the user ex-
     ecuting them. Every hook has its own on/off switch, all hooks take the
     trust_override status into account.

     Userland programs often read information from world-readable files and so
     the permissions on such files (and sometimes group) had to be changed,
     along with group ownership and a set-group-id flag on the relevant pro-
     grams to make sure filtering is not overruled. Other files, such as the
     mtree/rc scripts, had to be also changed to comply with the new permis-
     sions and ownerships. Note that these have to be maintained in order to
     keep full userland privacy in-tact.

     The installation script/guide contains detailed information.

     Userland privacy is turned off by default. To enable:

             # sysctl -w kern.security.privacy.op=1
             # sysctl -w kern.security.privacy.netstat=1
             # sysctl -w kern.security.privacy.w=1
             # sysctl -w kern.security.privacy.who=1
             # sysctl -w kern.security.privacy.last=1
             # sysctl -w kern.security.privacy.finger=1

FILES
     /etc/vexec.conf Vexec main fingerprint database

     /usr/local/share/stephanie/fpgen.sh Vexec fingerprint database generation
     script

     /usr/local/share/stephanie/README The Stephanie README file

     /usr/local/share/stephanie/INSTALL Installation instructions for
     Stephanie

     /usr/local/share/stephanie/NEW_HASH Information about adding new hashing
     types to Stephanie

SEE ALSO
     vexecctl(8), vexec.conf(5), vexec(4)

AUTHOR
     br1an <brian@ethernet.org> wrote and maintains Stephanie for OpenBSD 3.6.

OpenBSD 3.6                    October 15, 2004                              3