since there's almost no documentation for it outside of "man systrace" here's some examples of what i've kludged together to get systrace happy on my openbsd box. remember you've got to be up and running with openbsd-current. we do love niels provos. i know i'm running devel code and it does hurt to be ahead of the curve, but there's really no documentation for this thing and it's pissing me off.
update: really this is annoying... i can't get systrace to do anything meaningful outside of breaking my processes. it mostly tells me "no ld.so" even after i've allowed it. if anyone has better documentation on using systrace please let me know.
of course you need to be running -current, with a new kernel and everything. make sure this is somewhere in your kernel config (/usr/src/sys/arch/i386/conf/GENERIC)
pseudo-device systrace
after building your new kernel and rebooting
(config GENERIC && cd ../compile/GENERIC && make clean && make depend && make && cp /bsd /bsd.old && cp bsd /bsd && chown root.wheel /bsd && reboot)
you'll need to copy MAKEDEV from /home/newroot/dev/ to /dev and then run /dev/MAKEDEV systrace
now you can run systrace against a daemon or whatever you want. i'm running it in learning mode right now like this:
systrace -A -i -d /etc/systrace -p 27715 /usr/sbin/httpd
oh and here's a quick script to find the pid of processes that don't stick nice little files in /var/run:
PID_HTTP=`ps aux|grep httpd |grep root |egrep -vi '(man|grep|systrace)' |awk '{ print $2 }'`
after you're sure systrace has seen everything "normal" the daemon should be able to do, change the "-A" to "-a" and it'll begin to enforce policy.
Posted by skp at setembro 03, 2002 11:08 PM | TrackBack