[index] [text page] [<<start] [<prev] [next>] [last>>]
Page 58: Systrace policy files

Page 58

  
  Systrace policy files
  Policy: /usr/sbin/httpd, Emulation: native
       native-accept: permit
       native-bind: sockaddr eq "inet-[0.0.0.0]:443" then permit
       native-bind: sockaddr eq "inet-[0.0.0.0]:80" then permit
       native-chdir: filename eq "/" then permit
       native-chown: filename match "/var/www/logs/*" then permit
       native-connect: sockaddr sub ":53" then permit
       native-fsread: filename eq "/dev/arandom" then permit
       native-fsread: filename eq "/dev/null" then permit
       native-fsread: filename eq "/dev/tty" then permit
       native-fsread: filename eq "/etc" then permit
       native-fsread: filename eq "/etc/group" then permit
       native-fsread: filename eq "<non-existent filename>" then deny[enoent]
       native-fsread: filename match "/etc/ssl/*" then permit
       native-fsread: filename match "/htdocs/*" then permit
       native-fsread: filename match "/usr/lib/*" then permit
       native-fsread: filename match "/usr/share/*" then permit
       native-fsread: filename match "/var/www/*" then permit
       native-fstat: permit
       native-fstatfs: permit

Copyright 2003, Bri Hatch of Onsight, Inc.

Presented at ISSA Puget Sound, 2003.

Presentation created using vim and MagicPoint.