Contributed by grey on from the more folks should make cool use of systrace like this dept.
as part of the OpenBSD book i wrote with brandon palmer, secure architectures with OpenBSD, i developed stsh, the systrace shell. this was inspired by the monkey.org shell acount systrace shell, but this one is implemented differently.
since the book's publication, i have updated stsh to be more flexible. it also changes how the tool is used, so the directions in the book are now obsolete (use the ones on the website). it works pretty well, and ensures that every application you start is wrapped in systrace.
you can compile it to learn behaviors, use your machine for a while, and then evaluate the resulting systrace policies. then you can rebuild it to be in enforce mode, giving you the benefits of systrace for all binaries. since your parent shell is systraced, and everything inherits from that, all apps are systraced. obviously this is not for the faint at heart, but can be useful, especially when combined with mount options, kernel options, permissions modifcations, group management, and the like (ie remove the ktrace capability for normal users, restrict setuid binary usage, and so forth).
hope this helps.
(Comments are closed)
By Jim (162.40.115.62) on
By Anonymous Coward (130.233.220.23) on
Comments
By jose (204.181.64.2) on http://monkey.org/~jose/
when you login, login(1) looks in login.conf(5). if your user class has a "shell" entry in it, login(1) executes that shell. in this case, you're in the stsh class and you have "shell=/bin/stsh" in there.
what stsh(8) does is this: it opens up your passwd(5) file and looks for your UID and its associated shell. it then executes that under systrace. if your shell is "/usr/local/bin/emacs", for example, you'll get a systraced emacs shell. stsh replaces itself with this entry from your passwd(5) line for your account.
simple as that. there's no globbing for the shell name. shells(5) are enforced by passwd(1), so they'll have to match that, but that's for a local admin to decide.
hope that makes sense.
Comments
By Anonymous Coward (200.221.124.40) on
Comments
By Anonymous Coward (80.65.225.73) on
By jose (65.23.81.140) on
the layer of abstraction provided by login.conf(5) is actually quite useful. you dont have to manage more than one file to control a set of users.
By nazsco (200.221.124.40) on
By Anonymous Coward (68.125.86.22) on
By Anonymous Coward (80.65.225.73) on
May I suggest an improvment ?
Maybe the provided systrace policies could be refined manually, for simplification, and to improve security.
E.g. in bin_cat