| 1 |
On Saturday 22 March 2003 09:30, Nate Underwood wrote: |
| 2 |
|
| 3 |
> Effectiveness: |
| 4 |
> |
| 5 |
> Some of the possibilities with systrace are: |
| 6 |
> |
| 7 |
> Application sandboxing/Virtual chroot'ing |
| 8 |
> Lightweight HIDS...policy violations are logged |
| 9 |
> Defined policies are enforced without user interaction...any system |
| 10 |
> calls not covered by a policy are denied and logged. |
| 11 |
> Privilege Elevation...enables nifty things like getting rid of suid/guid |
| 12 |
> binary reliance |
| 13 |
> |
| 14 |
> Systrace is still fairly new...but the ease of use and effectiveness of |
| 15 |
> the the program (IMHO) are worth pursuing. The problems of system wide |
| 16 |
> deployment is a developer specific issue (on Gentoo)...and advances we |
| 17 |
> make here can likely be offerend up to the systrace authors for possible |
| 18 |
> inclusion and enhancement. |
| 19 |
|
| 20 |
Yes, I really like seeing other people being impressed by systrace too. |
| 21 |
|
| 22 |
By now i have a virtual chrooted login shell (bash) which lets my users |
| 23 |
execute various programms (which I can define), access their home directory |
| 24 |
almost unrestricted (well they can't execute anything in it) and virtual |
| 25 |
chrooted sftp. |
| 26 |
|
| 27 |
I've also systrace wrapped all cgi scripts (using a patched modiwrap, which is |
| 28 |
a suexec replacement) |
| 29 |
|
| 30 |
Policy: /usr/bin/stcgiwrap, Emulation: linux |
| 31 |
[some general stuff with reading /lib/ libraries + most basic system calls] |
| 32 |
linux-fsread: filename eq "/usr/lib/perl5/site_perl/5.6.1" then permit |
| 33 |
linux-fsread: filename match "$HOME/cgi-bin/*" then permit |
| 34 |
linux-execve: filename match "$HOME/cgi-bin/*" then permit[inherit] |
| 35 |
linux-fsread: filename eq "/proc/self/exe" then permit |
| 36 |
linux-fsread: filename eq "/etc/localtime" then permit |
| 37 |
linux-execve: filename eq "/usr/sbin/sendmail" then permit |
| 38 |
|
| 39 |
|
| 40 |
Its config files are really easy to understand _and_ generate, as you can |
| 41 |
simply start any programm with systrace -A /usr/bin/programm_i_want_to_test |
| 42 |
and you end with a "minimum" policy file in |
| 43 |
~/.systrace/usr_bin_programm_i_want_to_test |
| 44 |
which you can copy to /etc/systrace (and chmod it 644). |
| 45 |
|
| 46 |
It is also very easy to give different rights to different users (which is |
| 47 |
almost impossible with the current grsecurity acls, but is said to change in |
| 48 |
grsec 2.0, which will be role based) |
| 49 |
|
| 50 |
But I agree: I don't think it is meant as a system default and according to |
| 51 |
the docs it isn't that speedy (also i'd love to see some realworld |
| 52 |
benchmarks, maybe systraced apache vs. normal). As the policies aren't |
| 53 |
compiled in any way but being parsed each time you run the programm, I at |
| 54 |
least expect a startup penalty, which might be avoided with some sort of |
| 55 |
systrace daemon. |
| 56 |
|
| 57 |
IMHO the best way would be a combination of grsecurity acls for daemons and |
| 58 |
systrace (wrappers) for userland. |
| 59 |
|
| 60 |
Blurb: The one time I tried SELinux (which isn't ment to be the last time) I |
| 61 |
found it extremly difficult, complex and by no means comfortable. But I'm |
| 62 |
sure some of you got better results than I did. |
| 63 |
|
| 64 |
|
| 65 |
-- |
| 66 |
Mit internetten Grüßen / Best Regards |
| 67 |
--------------------------------------------------------------------------- |
| 68 |
Justin Heesemann ionium Technologies |
| 69 |
jh@××××××.org www.ionium.org |
| 70 |
|
| 71 |
|
| 72 |
-- |
| 73 |
gentoo-hardened@g.o mailing list |
Archives