Language Selection

English French German Italian Portuguese Spanish

Add an extra layer of security with systrace

Filed under
HowTos

Niels Provos' Systrace is a utility that monitors and controls what an application can access on a system by creating and enforcing access policies for system calls. For the Linux crowd, it's something like the US National Security Agency's SE Linux, but it's more flexible and, if used properly, it can improve a system's overall security by "sandboxing" untrusted applications and users.

Systrace is included by default in NetBSD and OpenBSD, and the project lists ports for Mac OS X, FreeBSD, and Linux on its home page -- though the Mac OS X port is not being maintained at the moment.

Systrace acts as a wrapper to the actual application. It intercepts the system calls made by the application, processes them through the kernel using the /dev/systrace device, and then handles the system calls according to your policies.

You can use Systrace to restrict a daemon's access to the system by defining which files it can access and how (such as read-only), and which port it can bind to. Also, if a daemon doesn't support privilege separation, you can avoid running it as root the whole time and keeping setuid and setgid binaries on the system. It's obvious how this can enhance the security of an untrusted daemon, or at least minimize the damage on a system if someone manages to exploit it.

Full Story.