OpenBSD Journal

Stephanie for OpenBSD 3.1 released

Contributed by Dengue on from the privacy-patch dept.

brian writes :
"Stephanie, an OpenBSD 'hardening' package is now available in a new and improved (!) version for OpenBSD 3.1. The features include:
  • TPE
  • MD5 ``binary integrity verification''
  • In-kernel ACL mechanism
  • Restricted symbolic links
  • Minor privacy modifications
  • Real-time logging of execve() calls
  • ld.so protection (env. stripping)
The new version is modular, which means you can choose what components to install. The license is the original two-clause BSD license. Make sure you read documentation and follow the correct installation instructions. Please don't mess with stuff you don't understand. :)

Stephanie is avaliable from http://innu.org/~brian/Stephanie And also from mirrors in the UK, US, Italy, and Australia
-- Information is at the main site."

(Comments are closed)


Comments
  1. By Crypt () on

    OpenBSD needed hardening... ;-)

    (cheap joke, sorry, just had to be said)

    Comments
    1. By dSan () d}at{ugc.org.uk on ugc.org.uk

      Actually Stephanie has saved my bum so many times (you try and have a box for security freaks and see how many times they try and r00t the thing)

      keep up the good work :)

      d

  2. By P () on

    Great! I love you man!

  3. By me () on here

    i have heard that OpenBSD folks won't even bother to trouble shoot something if you have stephanie on you box

    Comments
    1. By Kint () on

      It's fully understandable. If you came out with a piece of software as complex as OpenBSD, would you waste your *free* time troubleshooting really weird problems for people who went and tinkered with your work?

      I wouldn't.

      Comments
      1. By Anonymous Coward () on

        Yeah, it's not like it's open source or anything. Who would want people to contribute changes back to the original project anyway? I love the OpenBSD attitude of "I'm taking my ball and going home," it shows real maturity and professionalism on the part of the developers.

        Comments
        1. By Nobody You'd Know () on

          There are a limited number of developers, most of whom also have "real jobs," as we in the know call them. I'm guessing they don't want this particular functionality, and seeing as it IS their project, that seems reasonable to me. It is perfectly reasonable for someone to maintain it as an add-on, but it is not reasonable to expect the OpenBSD folks to fix things for you if you use it. This notion people have that they are entitled to support is really pathetic; OpenBSD is for people who need and understand a real operating system; if you're some chump, why not just go use Windows; you won't know you got hacked anyway, until your web site gets defaced, and you'd screw up an OpenBSD system's security with all kinds of lame poorly written crap programs anyway.

        2. By Anonymous Coward () on

          If I come to your house and crap on your carpet, will you wipe my ass for me?

        3. By Hyb () on

          Would you provide support for code you a) didn't write, b) haven't used, and c) have many other things to do?
          Grow up.

        4. By niekze () on

          *ROFLMAO* Sure, this guy is a troll, but there is a hint of truth there. It only took 4 e-mails and a year for them to correct some 4th-grade grammar in the FAQ. He should have said that this is a case of "I want my cake and I wanna eat it to!" OpenBSD is supposed to be super great and fantabulous, but whenever faced with adversity, everyone throws out the "the developers don't get paid and have real jobs and you don't have to use it" trump card. When security patches come out, someone always gives a nice troll and everyone screams, shouts, and throws a tantrum when a simple "yea, we messed up. it happens" would suffice. Don't get me wrong, OpenBSD is a wonderful OS that fills a large gap that few others can even comptete with, which is why I use it. On the other hand, too many people in the "scene" (which includes users, developers, irc people, etc) act like irrational and quick tempered children, which is why I stopped buying cd's twice a year. The guy i'm replying to is most likely commenting on the ipf/pf "fiasco." I agree with the way it was handled. Reed pretty much was going after OpenBSD. So OpenBSD decided to roll their own. End of story. But I credit that to Daniel Hartmeier, who's a nice guy and instead of joining the giant flame war, decided to start coding pf. Theo's never been rude or hateful to me, but I've seen some threads where he really shows his ass. I know 4 other people who stopped buying cd's for the same reason. That's $500 a year now. I'm sure there are others. So, when you decide to post responses to trolls like this or n00b questions in #openbsd, etc., remember what i've said. I'm not saying that you have to, by any means, everyone can continue acting like children. You all have that right. Just don't be surprised when you're treated like one. That's it, i'm done ranting.

          Comments
          1. By ER33t H4x0r () on http://f4gbl4st3r.cjb.net/%7ee3r33t/New%20Folder/i

            NI3KZ3 SHU7UP.<br>
            <br>
            Y0u: " 0MG 0MG!! IF Y0U (er33t 0p3nb5d h4x0rz) AR3N'T N1C3 TH3n I W0NT BuY CD5 !!!! "


            Us: g0 f0r i7 y0u h0m0hump3r. w3 b3t y0u c4n buY a l0t m0re an4kin skYw4lk3r c0stum3s w1th y0ur $500.<br>
            <br>
            0MG!!! N1EKz3 !! I W4S G0NNA S3ND Y0u $500 IN TH3 M4IL BUT S1NC3 Y0U K33p WHINING 4BOUT G3TT1NG Y0UR h0m0hump3r f33l1ngs hur7...IM K33PING MY $500 TH4T I W0ULD H4V3 S3NT T0 YoU!!!!!! <br>
            <br>
            sincerelye,<br
            E3EET H4X0R.

            p.s. ST0P WH1NING. I7 ISn'7 B3C0mING 0F A L4DY.

            Comments
            1. By Anonymous Coward () on

              You know, using childish 'l337-speak' only makes you look like a fool ;-)

              Comments
              1. By fagblaster () on

                i'm pretty sure responding to people who type in leetspeak is what makes a person looks foolish (but here i am responding to you!)... and btw, watch out for ereet haxor (who learned from niekze), ereet might take *your* $500 away too =o. never forget the power of market forces over hackers... (L O L)

                *blast**zap**blast*,
                   fagblaster

          2. By Anonymous Coward () on

            "I want my cake and I wanna eat it to!"

            For someone complaining about fourth grade grammer, you might want to learn the difference between 'to' and 'too'. I think they teach that in third or fourth grade...

            Comments
            1. By Anonymous Coward () on

              +1, Funny

            2. By niekze () on

              oh no! I made a mistake! You should put your punctuation inside single quotation marks. I further wonder who you were quoting, since elipses are *only* used when leaving things out of quotations. But, I find it amusing that you find the correction of grammar to be the most interesting reply idea. The point of the FAQ correction is that it took many e-mails for them to correct their mistake. I am not claiming to be a superior operating system. If I could edit my previous comment, it would be corrected in well under a year.

              Comments
              1. By RC () on

                niekzeon said: "I am not claiming to be a superior operating system."

                I would hope not.

          3. By Anonymous Coward () on

            why I stopped buying cd's twice a year

            I see some of the rudeness, but I have a different slant. Once I posted an answer on misc@ and Theo wrote me privately, saying I didn't understand the question. No flames, no embarassment, no rudeness. Another time I emailed him a correction to the web site and it got fixed. Another time I posted something wasn't working and it got fixed.

            Now if you judge the product by personality maybe out of principle you should say " I quit using the OS for my stuff ". But to say it is useful to you, while saying you won't support Theo, which includes some rudeness, means you hope eventually he tires of it, and someone else takes over. Do you think this is FreeBSD, with the core wars and the battles?

            Lets get our logic straight. Please.

        5. By ThomasJ () on

          Obvious this is a troll, but it is quite symptomatical for the "Bazaar Crowd" of Open Source

          For those who has been living under a rock "The Cathedral and the Bazaar" is a book by Eric S Raymond, in which he describes software projects in two metaphores:

          • The Cathedral is a project where a leader, a core team or a management team decides which way a software project is heading. It is like building a cathedral following a minute blueprint.
          • The Bazaar is a project where all contributors make some useful piece of development and what gets done sums up the heading of the project. It is like an oriental bazaar where each vendor turns up with his goods and thereby add to the plentory of the whole.

          OpenBSD is an Open Source project but it is not a bazaar! OpenBSD is a Cathedral with all the good and bad there is with that. You can contribute, but in the end it is Theo who decides.

          But then you must realise that each vendor in a Bazaar is building a Cathedral in his micro-marked and each Cathedral -- even how monstrous and a complete it might seem -- is still situated in a Bazaar.

          So, OpenBSD is a Catherdral next to the Stephanie Cathedral in a Bazaar where you, the consumer, take your pick. It really is like buying a Ford and adding a cupholder.

          (BTW it really is like this too in the Linux Kernel World, in the Apache World, in the Perl World and even in the GNU World)

          Comments
          1. By Anonymous Coward () on

            Great commentary. I would mod this up on /.

        6. By Kint () on

          "Who would want people to contribute changes back to the original project anyway?"

          Stephanie is *not* the original project.

          Comments
          1. By Anonymous Coward () on

            OpenBSD is the original project. Good job, fucktard.

            Comments
            1. By Kint () on

              Nice job of making yourself look like an idiot.

              How can whining about your OpenBSD 3.1 box being broken because you went and applied *outside* patches to it going to contribute to the OpenBSD project? Might get retards like you kicked off the lists, for once. That'd be an improvement.

        7. By Anonymous Coward () on

          Part of being open sourced is choice. Choice in license, choice in what projects you work on, choice in what and how you code. This also includes choice in what someone will or will not support. No one forces anyone to do something, including the insistence that something be supported. If you feel it should be supported, join the team and lend assistance. Otherwise, cut the criticism, as you've done the obvious and showed how silly your mind is.

  4. By Anonymous Coward () on

    Does anyone know what the openbsd team's stance
    on integrating Stephanie in the official release
    is? Do they have requirements of it that haven't
    been meant? Are they completely against it for
    some reason? Or are they just too busy working
    on more important things?

  5. By Peter Hessler () spambox@theapt.org on http://www.sfobug.org

    I would like to see these patches integrated into the main tree. Even if it was off by default, but a configurable option (something in rc.security, before securelevel rises). Eventually I would like to see OpenBSD reach B or higher on the DOD computer security test.

    Comments
    1. By Nobody You'd Know () on

      First off, these patches can cause system panics, because, well, the people who wrote them didn't work out all the possible conditions that could arise.

      Second, even the DOD doesn't use the criteria you're referring to anymore. Those are ancient history.

      Third, DOD security criteria have nothing to do with what real computer people refer to as "computer security." They typically include access controls totally unsuitable for any kind of hobbyist or commercial use, or even for most government uses. In fact, most military systems don't include these features, because they are such a hindrance to work getting done that you'd be better off having no computer at all.

      Comments
      1. By Roo () on

        B grades require formal verification, and some of the requirements require hardened hardware too. :P

        So it's more of a system thing, not an OS thing.

        -Roo

      2. By JaNET () on

        Thanks for that, Theo.

  6. By Earx () on

    does stephanie make openbsd box really slower ?

    Comments
    1. By Miod Vallat () miod@openbsd.org on mailto:miod@openbsd.org

      When your system panics because of "issues" with some parts of Stephanie that were not thinked upon long enough, sure it's slower.

      Comments
      1. By Flynn () on

        :) heh heh

  7. By Anonymous Coward () on

    What's all the fuss about? The patches are there for you guys to use if you want, and that's a good thing. The OpenBSD team will not give support to them on the project's lists, and that makes sense to anyone within some `normal' parameters.

    The question is who is doing this, and why should I trust him. Don't get me wrong, I just don't know who is behind this all.

  8. By bsddiy () on

    ACL is interesting, when will OpenBSD offically
    merge it into source tree?

    Comments
    1. By Matthew Weigel () weigel@libcom.com on mailto:weigel@libcom.com

      Extended attributes, how ACLs are generally implemented on Unix, were incorporated post-3.0, and are included in 3.1. The most basic things, then, are already in place, all that's necessary now is the drudgery :-)

  9. By Anonymous Coward () on

    is there any way one can harden an openbsd system without using steph.

    i'm thinking, making sure that users can only see their own processes, etc..

  10. By ernie () on

    maybe i'm doing something wrong, but has anyone gotten this to work? When i apply the main stephanie patch to a clean 3.1 tree (stable, direct from cvs, no mods) i get all kinds of hunk errors ... anyone gotten this to work?

    Comments
    1. By Anonymous Coward () on

      The problem is here - "stable". Stephanie is supposed to be used with base OpenBSD 3.1 sources, without post-release patches that are committed to stable branch.

      Comments
      1. By Anonymous Coward () on

        so when will it work with "-stable"? Wouldn't that be more useful?

  11. By J () none@none on mailto:none@none

    anyone else getting hunk/fuzz failures applying this patch to a out-the-box openbsd31 install from the CD??

  12. By why o why () _@_.com on mailto:_@_.com

    Why is it when i grab a kernel from cvs and i apply the stepahnie patches the compile fails

  13. By why o why () _@_.com on mailto:_@_.com

    Why is it when i grab a kernel from cvs and i apply the stepahnie patches the compile fails

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]