29.4 Where to Use systrace
One ideal place to run systrace with complete and restrictive policies is on network servers. Protecting the execution environment of exposed services with systrace can considerably minimize the ability of an attacker to cause a dameon program to begin executing arbitrary actions. This can include remote SSH servers, name servers, and Apache Web servers. Generating these policies can be a bit time-consuming. Nevertheless, with systrace -A,a thorough exercise of the program, and a review of the policies, security can be enhanced.
For publicly accessible shell servers—for example, on common lab systems—one target for systrace policies is the control of setuid root executables. Wrapping the execution of these programs in a controlled policy minimizes the potential damage that can be generated by a malicious user. The setuid root bit can be removed, and operations that require privileges can be replaced by permit as statements in the systrace policy. Wrapping the executable in a small program that ensures it is run under systrace can complete this security enhancement.
On network clients, Internet-exposed client applications can be wrapped in systrace policies. The earlier example, which showed the generation of a policy for the gaim client, can be extended to a variety of network clients, including irc clients and ssh usage. The systrace system can protect the local system from malicious servers or P2P clients that might attempt to execute arbitrary actions on the client system.