Automated Systrace Policy Creation
Let Systrace’s automated mode do your work for you.
In a true paranoid’s ideal world, system administrators would read the source code for every application on their system and be able to build system-call access policies by hand, relying only on their intimate understanding of every feature of the application. Most system administrators don’t have that sort of time, and would have better things to do with that time if they did.
Luckily, systrace includes a policy-generation
tool that will generate a policy listing for every system call that
an application makes. You can use this policy as a starting point to
narrow down the access you will allow the application.
We’ll use this method to generate a policy for
inetd
.
Use the -A flag to systrace,
and include the full path to the program you want to run:
# systrace -A /usr/sbin/inetdTo pass flags to inetd, add them at the end of the
command line.
Then use the program for which you’re developing a
policy. This system has ident, daytime, and time services open, so
run programs that require those services. Fire up an IRC client to
trigger ident requests, and telnet to ports 13 and 37 to get time
services. Once you have put inetd through its
paces, shut it down. inetd has no control program,
so you need to kill it by process ID.
Checking the process list will show two processes:
# ps -ax | grep inet
24421 ?? Ixs 0:00.00 /usr/sbin/inetd
12929 ?? Is 0:00.01 systrace -A /usr/sbin/inetdDo not kill the systrace ...