Real-Time Systrace Monitoring

Previous page
Table of content
Next page

You could edit your policies by hand, of course, but that's the hard way. Systrace includes a tool to let you edit policies in real time, as the system call is made. This is excellent for use in a network operations center environment, where the person responsible for watching the network monitor can also be assigned to watch for system calls and bring them to the attention of the appropriate sysadmin.

You can specify which program you wish to monitor by using systrace's "-p" flag. This is called "attaching" to the program. For example, earlier we saw two processes containing "inetd". One was the actual inetd process, the other was the systrace process managing inetd. Attach to the systrace process, not the actual program — in this case, process 12929. Also give the full path to the managed program as an argument.

 # systrace -p 12929 /usr/sbin/inetd

At first, nothing will happen. When the program attempts to make an unauthorized system call, however, a GUI will pop up. You will have the options to allow the system call, deny the system call, always permit the call, or always deny it. The program will hang until you make a decision, however, so decide quickly!

Note that these changes will only take effect so long as the current process is running! If you restart the program, you must also restart the attached systrace monitor, and any changes you set in the monitor are gone. You must add those rules to the policy if you want them to be permanent, so be sure to take notes.

This requires that the people monitoring the system are willing to respond in real time. A program running under systrace without monitoring will just refuse unrecognized system calls and get on with life. If you use the GUI, however, the program will hang until you respond! Running interactive systrace monitoring on your high-throughput Web server may not be a good idea until you think you have all the bugs worked out.

While systrace has a vast number of functions and abilities, this should be enough to get you started. Experiment with the tool, look at some existing policies, and be sure to read section 2 of the man pages when you're in doubt!



Previous page
Table of content
Next page
Absolute Openbsd(c) Unix for the Practical Paranoid
Absolute OpenBSD: Unix for the Practical Paranoid
ISBN: 1886411999
EAN: 2147483647
Year: 2005
Pages: 298
Authors: Michael W. Lucas
BUY ON AMAZON
A Practitioners Guide to Software Test Design
Visual C# 2005 How to Program (2nd Edition)
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
An Introduction to Design Patterns in C++ with Qt 4
Ruby Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy