Contributed by jose on from the assisting-you dept.
http://hades.uint8t.org/systrace.html
He's been at this for quite a while, and his policies and such are pretty well tested.
(Comments are closed)
OpenBSD Journal
Contributed by jose on from the assisting-you dept.
http://hades.uint8t.org/systrace.html
He's been at this for quite a while, and his policies and such are pretty well tested.
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By Luiz Gustavo () on
Basically support is needed to provide policies addressing daemons and programs which I missed or don't use at all.
Comments
By Anonymous Coward () on
By raiten () julien.touche@lycos.com on mailto:julien.touche@lycos.com
i don't know if template is only used on creation or always (like an #include) but it could be interesting
but there is NO doc, except code ...
By Anonymous Coward () on
I tried to add:
native-execve: filename eq "/sbin/ifconfig" and argv eq "/sbin/ifconfig" then deny, if user != root
but i don't think that's right, since the user can still see the output. any help?
Comments
By bumby () on
systrace -A /sbin/systrace
I never used systrace before, tried it now for some minutes, so it may be possible to get systrace invoked without actually running processes directly through systrace. Like, having systrace as a daemon, and get the shell/kernel? to tell the systraced to start the app when you execute for instance /sbin/ifconfig. That would have been neat.
Is it possible? Cause that could be usefull to restrict shell-users.
By tedu () on
Comments
By tedu () on
By Anonymous Coward () on
By Luiz Gustavo () on
should be more than enough.
By David Moreno Garza () damog@damog.net on http://damog.net
Comments
By Damog () on
By Pedro Martelletto () on
By Luiz Gustavo () on