BSDnewsletter.com

Looking at MicroBSD

Stephanie: ACL: Trusted users list initialized.
Stephanie: k5: Binary integrity verification initialized.

The rest of the boot looked normal too. It created new DSA, RSA, and RSA1 host keys for ssh. And sendmail, inetd, sshd, cron and portmap were started.

When I logged in the MOTD said:

Welcome to MicroBSD: The proactively secure Unix-like operating system

The installation had taken 160MB. So I looked around.

The virtual consoles were enabled by default. I could switch to other consoles with CTRL-ALT-F1 through F6 (but virtual console ttyC4 was off as /etc/ttys defined). Also, I was able to login to it as root via ssh. It is running SSH-1.99-OpenSSH_3.4.

I noticed that many binaries and plain text files had MicroBSD RCS keywords, but appeared to have OpenBSD revision numbers and OpenBSD developer usernames.

The Apache webserver worked fine, but the default image displayed "OpenBSD" (although it text alt was "MicroBSD"). It also linked to http://www.microbsd.org/art which didn't exist. And a nice "strong crypto" blowfish.jpg was available.

Testing special features

k5ctl (8) - Stephanie: k5: Binary integrity verification control utility
sneekctl (8) - Stephanie:  Sneek:  execve()  logging control utility

I had a quick look at these manual pages and decided to give them a try.

# sneekctl show
Bad system call (core dumped)

Program terminated with signal 12, Bad system call.
#0  0x1e79 in ?? ()
#1  0x109c in ?? ()

Then I tried k5ctl for doing binary integrity verification.

# k5ctl list
Total entries in database: 0

Then I added a program to the kernel's k5 database:

# k5ctl add /bin/k5ctl     
# k5ctl info /bin/k5ctl  
Path: /bin/k5ctl (21523)
MD5 Checksum: 31df480e4a3ff9c01bcefccfad77e81e
Matches: 1
Mismatches: 1

sh: /usr/bin/more: Permission denied

So I deleted the k5ctl rule with: "k5ctl del /usr/bin/more". And I could use it (really cat) again. (Easy to fix: I just grabbed the ./usr/bin/{less,more,page} files from the base05.tgz file on the CD.)

Then I tried to learn about ldctl which is the Stephanie command for ld.so environment protection, but the manual was actually the sneekctl(1) manual. So I tried to get it to show the current status:

# ldctl s 
ldctl: sysctl: Operation not supported

 22642 ldctl    CALL  __sysctl(0xcfbfd974,0x2,0xcfbfd968,0xcfbfd96c,0,0)
 22642 ldctl    RET   __sysctl -1 errno 45 Operation not supported

Next, I tried getfacl(1) to output ACL information:

# getfacl /
#file:/
#owner:0
#group:0
Bad system call (core dumped)

GDB said:

Program terminated with signal 12, Bad system call.
#0  0x2363 in ?? ()
#1  0x1b33 in ?? ()
#2  0x1d41 in ?? ()
#3  0x109c in ?? ()

Then I had a look at the acl(3) manual page. Its description begins with:

FreeBSD permits file systems to export Access Control Lists via the
VFS, and provides a library for userland access to and manipulation of
these ACLs.

POSIX.1e support was introduced in FreeBSD 4.0; FreeBSD 5.0 was the
first version to include a complete ACL implementation based on extended
attributes.

The setfacl(1) and getfacl(1) manual says that this extended attribute and access control list support was developed as part of the TrustedBSD Project and introduced in FreeBSD 5.0.

I tried the setfacl(1) tool following the examples found in the manual page. All three returned same "Bad system call (core dumped)".

Oh well. Maybe I have some hardware problems. I am glad the binary integrity checker (k5) worked. And I am interested in learning more about and using some of these features.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met ...

The developers of the OpenBSD project have worked hard at making sure that the code is clearly licensed and appropriate with conflicting licenses specifically located. They want their code to be able to be reused.

According to a MicroBSD developer posting at an OpenBSD Journal forum, they are still cleaning up, and hope to provide a simple way to provide easy-to-manage (with a web/console GUI) and secure servers out of the box.

Overall, it looks like MicroBSD is an interesting project. I see its best use is in getting more people and systems to use and test some of these new or special features. And maybe other operating systems can learn from any mistakes and/or successes and may integrate some of the code into their operating systems. (On that note, it appears that the 0.5 kernel sources are available for download.)

In the short time, I had to review the MicroBSD, I now have many questions:

• Where is the FAQ? (Note that I asked their mailing list about the FAQ a couple weeks ago.)
• Where is the documentation for the MicroBSD "intrusion detection"?
• Where is the documentation for restricted symlinks?
• Where is the documentation for ld.so environment stripping?
• Where is the documentation for application stack hardening and protection?
• Where is the documentation for network port ACLs?
• Any userland (or kernel) code available via CVS?
• What's up with these "Bad system calls"?
• What is the official language for the MicroBSD project?
• What is the official website for MicroBSD?

Discussion

system calls 179 and 281 - Jeremy C. Reed
MicroBSD Answers - OutBack Dingo
Stephanie & MicroBSD - Brian

system calls 179 and 281
Jeremy C. Reed - September 05, 2002 13:34:23
Just some more debugging on the bad system calls:

6472 sneekctl CALL #179 (unimplemented)

19824 getfacl CALL #281 (unimplemented sys_acl_get_file)

23088 setfacl CALL #281 (unimplemented sys_acl_get_file)

MicroBSD Answers
OutBack Dingo - September 05, 2002 23:14:36
Yes, we do have some cleaning to do, CVS is being worked on daily to make sure the 0.6 release due shortly is very clean, and all problems, anomolies found in 0.5 have been fixed in 0.6 thanks to some careful eyes in testing the releases. Granted it wasnt quite a search and replace, but alot of what needed to be modified ended up going backwards from 0.4 due to a stupid cvs mistake. :L all in all the 0.6 release is much different and alot more stable. sneek is not implemented in the kernel as of yet though the binary is in cvs. therefor it errors. The docs and all your other questens will be answered in 0.6 and all will be settled in by then. If you wish to forward me your email address ill give you a much greater break down. but right now we do lack coders so most of the work to get releases out is done by me.

Stephanie & MicroBSD
Brian - December 07, 2002 16:41:05
Little late, but anyway:

I'd just like to mention that the Stephanie "package" imported to the MicroBSD tree was the old, obsolete one. The import was NOT done by me, and any conflicts that could've been caused by conflicts with other kernel features MicroBSD imported (and there are plenty) are not flaws in Stephanie.

I've been talking with Dingo about this and to make sure that "Stephanie" in its current, rewritten version is implemented correctly in MicroBSD, I'm doing it myself -- or should I say, looking closely at how it's done.

Also, as for K5 -- I believe it's a good concept, but is still very premature. I'd rather see the NetBSD implementation of such a concept by Brett Lymn (who also *actively* maintaining it) imported to MicroBSD.

BSD Links