Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

29.5 System Coverage with systrace

Achieving total system coverage with systrace, where no avenue remains in which to execute arbitrary commands or handle user-supplied data, is the ultimate goal for a system protected by systrace. It is best accomplished by performing three actions. The first action is to ensure that complete, up-to-date policies have been generated for the applications. It is perhaps best to run the system using systrace -A for a short while to fully exercise applications. The second action is to start any network daemons that are

launched from processes such as /etc/rc using systrace, which requires minor amounts of script editing. The third action is to give users shells wrapped in systrace. Any executable that the users will run will require a policy, as systrace also wraps child processes.

This difficult-to-achieve process requires an in-depth understanding of the system as well as the implications of system calls. For most users, running systrace on their network daemons will suffice.

  • + Share This
  • 🔖 Save To Your Account