Contributed by grey on from the more folks should make cool use of systrace like this dept.
as part of the OpenBSD book i wrote with brandon palmer, secure architectures with OpenBSD, i developed stsh, the systrace shell. this was inspired by the monkey.org shell acount systrace shell, but this one is implemented differently.
since the book's publication, i have updated stsh to be more flexible. it also changes how the tool is used, so the directions in the book are now obsolete (use the ones on the website). it works pretty well, and ensures that every application you start is wrapped in systrace.
you can compile it to learn behaviors, use your machine for a while, and then evaluate the resulting systrace policies. then you can rebuild it to be in enforce mode, giving you the benefits of systrace for all binaries. since your parent shell is systraced, and everything inherits from that, all apps are systraced. obviously this is not for the faint at heart, but can be useful, especially when combined with mount options, kernel options, permissions modifcations, group management, and the like (ie remove the ktrace capability for normal users, restrict setuid binary usage, and so forth).
hope this helps.
(Comments are closed)