Stephanie for OpenBSD 3.6 - manual installation instructions ------------------------------------------------------------ Note: it is suggested you use the provided install.sh script if your system is somewhat normal/default install, etc. as it provides more information on what is being done and more friendly. Assumptions: - Source tree in /usr/src/ - Stephanie for OpenBSD 3.6 extracted in ~/Stephanie-3.6/ - You are root. Start by putting documentation and general man pages in place for future reference: cd ~/Stephanie-3.6/doc/ make && make install && make clean Then patch the source tree: patch -d /usr/ -p0 < ~/Stephanie-3.6/Stephanie-3.6.patch Add the Vexec pseudo-device to your kernel's config, for example GENERIC: echo "pseudo-device vexec 1" >> /usr/src/sys/conf/GENERIC Copy Stephanie files to tree: cd ~/Stephanie-3.6/ cp -f sys/{security.h,vexec.h} /usr/src/sys/sys/ cp -f kern/{kern_security.c,kern_vexec.c} /usr/src/sys/kern/ cp -f dev/vexec.c /usr/src/sys/dev/ Sync files between kernel/userland: cp /usr/src/sys/sys/{conf.h,exec.h,proc.h,sysctl.h,vnode.h} /usr/include/sys/ cp ~/Stephanie-3.6/sys/{security.h,vexec.h} /usr/include/sys/ Now you need to recompile your kernel and install it. Instructions on how to do that are available on the OpenBSD FAQ. (http://www.openbsd.org/faq/faq5.html#Building) After you booted your new kernel and verified you get the Stephanie message at the bottom of the dmesg, we can go on. If you didn't, mail me with as much relevant information you can. Moving on... Stephanie changes the process credentials struct ('pcred'), so libkvm and programs that depend on it need to be recompiled: cd /usr/src/lib/libkvm make clean && make depend && make && make install && make clean cd /usr/src/bin/ps make clean && make && make install && make clean cd /usr/src/usr.bin/systat make clean && make && make install && make clean cd /usr/src/usr.bin/vmstat make clean && make && make install && make clean Recompile sysctl: cd /usr/src/sbin/sysctl make clean && make && make install && make clean Compile vexecctl: cd ~/Stephanie-3.6/vexecctl make && make install && make clean Create the Vexec pseudo-device. The major number depends on your arch. Arch Major (N) ---- --------- alpha 58 amd64 83 arm 99 hp300 53 hppa 40 i386 84 luna88k 53 mac68k 53 macppc 79 mvme68k 53 mvme88k 53 mvmeppc 56 sparc 52 sparc64 53 vax 75 Issue the following: mknod -m 0600 /dev/vexec c N 0 Where 'N' is the device major suiting your architecture. Last step would be to set up userland privacy. Recompile all modified programs: cd /usr/src/usr.bin/finger make clean && make && make install && make clean cd /usr/src/usr.bin/last make clean && make && make install && make clean cd /usr/src/usr.bin/netstat make clean && make && make install && make clean cd /usr/src/usr.bin/w make clean && make && make install && make clean cd /usr/src/usr.bin/who make clean && make && make install && make clean Change permissions on utmp, wtmp, and lastlog: chmod 0660 /var/run/utmp chmod 0640 /var/log/wtmp chmod 0640 /var/log/lastlog Change group of recompiled programs to 'utmp': chgrp utmp /usr/bin/finger chgrp utmp /usr/bin/last chgrp utmp /usr/bin/w chgrp utmp /usr/bin/who And set SGID bit on them: chmod 2555 /usr/bin/finger chmod 2555 /usr/bin/last chmod 2555 /usr/bin/w chmod 2555 /usr/bin/who Patch /etc/newsyslog.conf, /etc/rc, and /etc/mtree/special so they don't mess up permissions: patch -d /etc/ -p0 < ~/Stephanie-3.6/patches/newsyslog.conf.patch patch -d /etc/ -p0 < ~/Stephanie-3.6/patches/etc.rc.patch patch -d /etc/mtree/ -p0 < ~/Stephanie-3.6/patches/etc.mtree.special.patch To use Vexec you must add the following (or similar) snippet to /etc/rc.securelevel - Vexec fingerprints MUST be loaded in single-user mode: # Load Vexec fingerprints if [ -e /etc/vexec.conf ]; then echo 'loading Vexec fingerprints...' /usr/local/sbin/vexecctl /etc/vexec.conf fi And custom Stephanie (using default sysctl values) in /etc/sysctl.conf. Read stephanie(7) for more information on Stephanie, vexec.conf(5) and vexecctl(8) for more information on Vexec and take a look at the attached fpgen.sh script (~/Stephanie-3.6/misc/fpgen.sh) for generating vexec.conf-style files. Once done, reboot. Contact me if there are any problems, make sure you're informative as possible. br1an