A lightweight process mitigation auditing tool for OpenBSD.
Project: opensec (Open Security Auditor)
Author: Jefferson Cesar Antunes
License: MIT
Version: 1.0.0
Description: Security auditing and transparency utility inspired by the OpenBSD philosophy.
The name opensec is a primary fusion of Open and Sec (Security), directly inspired by the OpenBSD philosophy.
In this context, Open transcends the simple idea of "free software." It stands for Absolute Transparency and Standardization. It reflects the belief that security tools should be open for global audit, free from restrictive barriers, and built upon code so clear that it leaves no room for hidden vulnerabilities. Opensec is security without secrets.
OpenSec is a minimal auditing utility designed specifically for OpenBSD systems.
It inspects kernel-exposed process metadata via kvm(3) and struct kinfo_proc
to determine whether core mitigation mechanisms are active, including:
pledge(2)unveil(2)- W^X enforcement indicators
The objective is deterministic classification of process security posture based strictly on kernel state.
OpenSec does not perform tracing, instrumentation, or behavioral inference.
OpenBSD provides strong built-in mitigation primitives. However, visibility into which processes actively enforce them is not centralized.
OpenSec provides a deterministic mitigation visibility layer for:
- System auditing
- Hardening validation
- Forensic triage
- Security posture verification
It focuses purely on observable kernel state.
OpenSec interfaces with libkvm to access the kernel process table in read-only mode.
For each process entry, it evaluates fields within struct kinfo_proc
and related metadata to determine:
- Whether
pledge(2)restrictions are enforced - Whether
unveil(2)restrictions are present - Whether memory protection flags align with W^X principles
Classification is derived exclusively from kernel-reported state.
The tool does not:
- Attach via
ptrace - Instrument binaries
- Modify process memory
- Inject runtime code
All inspection is passive and non-intrusive.
PID USER PLEDGE UNVEIL W^X CLASSIFICATION
123 root YES YES OK Hardened
456 www YES NO OK Partial
789 user NO NO WEAK Unrestricted
Output reflects kernel-reported mitigation state only.
Figure 1: Automated baseline evaluation of the global security posture.
Figure 2: Real-time monitoring of active security primitives and privilege levels.
Figure 3: Forensic audit reporting with global mitigation statistics and risk assessment.
OpenSec follows OpenBSD principles:
- Simplicity
- Correctness
- Determinism
- Non-Intrusiveness
The tool is intentionally conservative in scope.
Additional technical documentation is available:
-
Security Model & Forensic Workflow
Detailed architectural description, trust model, telemetry logic, and post-audit investigation procedures. -
Performance Benchmarks & Operational Impact
Empirical measurements of CPU usage, memory footprint, latency, and scalability behavior under load.
These documents formalize OpenSecβs architectural assumptions, operational safety guarantees, and performance characteristics.
- Relies strictly on kernel-exposed metadata
- Does not analyze binary logic or runtime intent
- Cannot detect logical flaws inside pledged processes
- Does not perform memory dumping or syscall tracing
- Requires appropriate privileges for kernel memory access
Mitigation absence does not automatically imply malicious behavior.
-
Initial Scan
Automated baseline evaluation of the global security posture. -
Mitigation Analysis
Real-time monitoring of active security primitives and privilege levels. -
Forensic Summary
Forensic audit reporting with global mitigation statistics and risk assessment.
- Kernel process table inspection via
libkvm pledge(2)enforcement detectionunveil(2)state reporting- W^X-related enforcement indicators
- Userland vs kernel process differentiation
- Deterministic classification model
- Clean terminal output
- Minimal runtime footprint
OpenSec is designed for stability in live OpenBSD environments:
- Read-only kernel state access
- Graceful handling of restricted entries
- No process interruption
- No execution state modification
Suitable for live auditing and hardening validation.
If a process is classified without active mitigations, further analysis may include:
- Syscall auditing:
ktrace -p [PID] && kdump - File descriptor inspection:
fstat -p [PID] - Binary verification:
sha256 /path/to/binary
OpenSec serves as an initial mitigation visibility layer within a broader forensic workflow.
- OpenBSD (stable or current)
libkvm- BSD
make doasor root privileges
git clone https://github.com/jeffersoncesarantunes/OpenSec.git
cd OpenSec
make clean && make
doas ./bin/opensec- Language: C (C99/C11 with OpenBSD extensions)
- Kernel Interface:
libkvm - Data Source:
struct kinfo_proc - Build Tool: BSD
make - Target Platform: OpenBSD
- Kernel-level mitigation detection engine
- Process-type differentiation
- Structured export format (CSV/JSON)
- Interactive TUI interface
- Historical mitigation state tracking
- Extended W^X validation research
Distributed under the MIT License.
See the LICENSE file for details.
Developed as a practical exploration of OpenBSD process mitigation visibility and kernel state auditing.