1 |
On Saturday 22 March 2003 09:30, Nate Underwood wrote: |
2 |
|
3 |
> Effectiveness: |
4 |
> |
5 |
> Some of the possibilities with systrace are: |
6 |
> |
7 |
> Application sandboxing/Virtual chroot'ing |
8 |
> Lightweight HIDS...policy violations are logged |
9 |
> Defined policies are enforced without user interaction...any system |
10 |
> calls not covered by a policy are denied and logged. |
11 |
> Privilege Elevation...enables nifty things like getting rid of suid/guid |
12 |
> binary reliance |
13 |
> |
14 |
> Systrace is still fairly new...but the ease of use and effectiveness of |
15 |
> the the program (IMHO) are worth pursuing. The problems of system wide |
16 |
> deployment is a developer specific issue (on Gentoo)...and advances we |
17 |
> make here can likely be offerend up to the systrace authors for possible |
18 |
> inclusion and enhancement. |
19 |
|
20 |
Yes, I really like seeing other people being impressed by systrace too. |
21 |
|
22 |
By now i have a virtual chrooted login shell (bash) which lets my users |
23 |
execute various programms (which I can define), access their home directory |
24 |
almost unrestricted (well they can't execute anything in it) and virtual |
25 |
chrooted sftp. |
26 |
|
27 |
I've also systrace wrapped all cgi scripts (using a patched modiwrap, which is |
28 |
a suexec replacement) |
29 |
|
30 |
Policy: /usr/bin/stcgiwrap, Emulation: linux |
31 |
[some general stuff with reading /lib/ libraries + most basic system calls] |
32 |
linux-fsread: filename eq "/usr/lib/perl5/site_perl/5.6.1" then permit |
33 |
linux-fsread: filename match "$HOME/cgi-bin/*" then permit |
34 |
linux-execve: filename match "$HOME/cgi-bin/*" then permit[inherit] |
35 |
linux-fsread: filename eq "/proc/self/exe" then permit |
36 |
linux-fsread: filename eq "/etc/localtime" then permit |
37 |
linux-execve: filename eq "/usr/sbin/sendmail" then permit |
38 |
|
39 |
|
40 |
Its config files are really easy to understand _and_ generate, as you can |
41 |
simply start any programm with systrace -A /usr/bin/programm_i_want_to_test |
42 |
and you end with a "minimum" policy file in |
43 |
~/.systrace/usr_bin_programm_i_want_to_test |
44 |
which you can copy to /etc/systrace (and chmod it 644). |
45 |
|
46 |
It is also very easy to give different rights to different users (which is |
47 |
almost impossible with the current grsecurity acls, but is said to change in |
48 |
grsec 2.0, which will be role based) |
49 |
|
50 |
But I agree: I don't think it is meant as a system default and according to |
51 |
the docs it isn't that speedy (also i'd love to see some realworld |
52 |
benchmarks, maybe systraced apache vs. normal). As the policies aren't |
53 |
compiled in any way but being parsed each time you run the programm, I at |
54 |
least expect a startup penalty, which might be avoided with some sort of |
55 |
systrace daemon. |
56 |
|
57 |
IMHO the best way would be a combination of grsecurity acls for daemons and |
58 |
systrace (wrappers) for userland. |
59 |
|
60 |
Blurb: The one time I tried SELinux (which isn't ment to be the last time) I |
61 |
found it extremly difficult, complex and by no means comfortable. But I'm |
62 |
sure some of you got better results than I did. |
63 |
|
64 |
|
65 |
-- |
66 |
Mit internetten Grüßen / Best Regards |
67 |
--------------------------------------------------------------------------- |
68 |
Justin Heesemann ionium Technologies |
69 |
jh@××××××.org www.ionium.org |
70 |
|
71 |
|
72 |
-- |
73 |
gentoo-hardened@g.o mailing list |