Systrace policy files Policy: /usr/sbin/httpd, Emulation: native native-accept: permit native-bind: sockaddr eq "inet-[0.0.0.0]:443" then permit native-bind: sockaddr eq "inet-[0.0.0.0]:80" then permit native-chdir: filename eq "/" then permit native-chown: filename match "/var/www/logs/*" then permit native-connect: sockaddr sub ":53" then permit native-fsread: filename eq "/dev/arandom" then permit native-fsread: filename eq "/dev/null" then permit native-fsread: filename eq "/dev/tty" then permit native-fsread: filename eq "/etc" then permit native-fsread: filename eq "/etc/group" then permit native-fsread: filename eq "<non-existent filename>" then deny[enoent] native-fsread: filename match "/etc/ssl/*" then permit native-fsread: filename match "/htdocs/*" then permit native-fsread: filename match "/usr/lib/*" then permit native-fsread: filename match "/usr/share/*" then permit native-fsread: filename match "/var/www/*" then permit native-fstat: permit native-fstatfs: permit
Copyright 2003, Bri Hatch of Onsight, Inc.
Presented at ISSA Puget Sound, 2003.
Presentation created using vim and MagicPoint.