Add an extra layer of security with systrace
Niels Provos' Systrace is a utility that monitors and controls what an application can access on a system by creating and enforcing access policies for system calls. For the Linux crowd, it's something like the US National Security Agency's SE Linux, but it's more flexible and, if used properly, it can improve a system's overall security by "sandboxing" untrusted applications and users.
Systrace is included by default in NetBSD and OpenBSD, and the project lists ports for Mac OS X, FreeBSD, and Linux on its home page -- though the Mac OS X port is not being maintained at the moment.
Systrace acts as a wrapper to the actual application. It intercepts the system calls made by the application, processes them through the kernel using the /dev/systrace device, and then handles the system calls according to your policies.
You can use Systrace to restrict a daemon's access to the system by defining which files it can access and how (such as read-only), and which port it can bind to. Also, if a daemon doesn't support privilege separation, you can avoid running it as root the whole time and keeping setuid and setgid binaries on the system. It's obvious how this can enhance the security of an untrusted daemon, or at least minimize the damage on a system if someone manages to exploit it.
- Login or register to post comments
- Printer-friendly version
- 1535 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
digiKam 7.7.0 is releasedAfter three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. |
Dilution and Misuse of the "Linux" Brand
|
Samsung, Red Hat to Work on Linux Drivers for Future TechThe metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. |
today's howtos
|
Recent comments
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago