This document details the architectural logic of OpenSec and provides a formal guide on how to interpret and act upon the results using native OpenBSD forensic tools.
OpenSec is built on the "Verify, then Trust" principle. OpenSec identifies the "gap" between kernel capability and application adoption.
A process running without pledge(2) or unveil(2) is considered a "Naked Binary," providing unrestricted access to system calls and global filesystem scope.
- Mechanism: Direct inspection of
struct kinfo_procvialibkvm(3). - Data Integrity: Bypasses text-based process lists to avoid TOCTOU vulnerabilities.
OpenSec uses standard ANSI sequences to categorize process states. Note on Environment Variability: During development and validation, tests were conducted on Kitty and xfce4-terminal. It was observed that:
- Userland (NATIVE): May appear as Purple (Kitty/Modern) or Blue (Xfce4/Classic).
- System (KERNEL): May appear as Pink (Kitty) or Magenta (Xfce4).
- Mitigations: Green (Active) and Red (None) remain consistent across most themes.
- Live Trace:
doas ktrace -p [PID](Capture syscalls for 30-60s). - Binary Integrity:
sha256 /path/to/binary(Check for tampering). - Static Analysis:
strings /path/to/binary | less(Search for hardcoded IPs/URLs). - Hex Inspection:
hexdump -C /path/to/binary(Investigate data offsets).
- Action:
doas fstat -p [PID]andkdump | grep "NAMI". - Objective: Identify unauthorized filesystem probing.
When prompted during an audit, selecting Option 3 (Ignore) is the recommended action. This prevents the auditor from waiting on a non-responsive PID, avoiding potential system instability.
- Code Patching: Implement
pledge()andunveil()based on gathered data. - Verification: Rerun OpenSec to confirm ACTIVE status.