DaemonForums  

Go Back   DaemonForums > Other Operating Systems > Solaris

Solaris SUN Solaris & OpenSolaris.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th January 2009
DraconianTimes's Avatar
DraconianTimes DraconianTimes is offline
Security Geek
 
Join Date: May 2008
Location: United Kingdom
Posts: 37
Default OpenSolaris equivalent of systrace?

I've recently installed OpenSolaris 2008.11 and was wondering what the nearest equivalent functionality to systrace is?
I've seen the FGAP sub-project (which looks almost spot on), bu this is still under development. Is there a combination of OSol tools which will give me some/all of systrace's functionality?

Ta.
Reply With Quote
  #2   (View Single Post)  
Old 26th January 2009
vermaden's Avatar
vermaden vermaden is offline
Administrator
 
Join Date: Apr 2008
Location: pl_PL.lodz
Posts: 1,056
Default

dtrace? ;p
__________________
religions, worst damnation of mankind
"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.
vermaden's: links resources deviantart spreadbsd
Reply With Quote
  #3   (View Single Post)  
Old 26th January 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by vermaden View Post
dtrace? ;p
I think that it is really not possible to compare dtrace and systrace.
Dtrace is in very simplified terms a tool which enables you to monitor your system in real time for let say bottle necks and add hardware or relocate resources if needed.

Systrace was originally conceived as a very radical security tool which will enable you to do things like preventing applications from making certain system calls without explicit authorization from system admin in real time.

Ideally one would want to have both tools available on the system. The problem is that large parts of DTrace are patented and released under CDDL license or even more restrictive licenses so one would have to write loadable kernel modules. Obviously FreeBSD doesn't care much for licenses so they imported DTrace into kernel.


Systrace on the another hand is in some sense obsolete as there is a major security problem with the tool pointed by Dr. Rober Watson member of FreeBSD core team in one of his research papers. As the main developer of Systrace have parted ways
with OpenBSD project due to the disagreement with Theo de Raadt there has been no work on systrace in past 3-4 years. It is still part of the kernel of OpenBSD but has very specific uses which are not in line with original design goals of Systrace project. Systrace is probably fixable and there is some chance that OpenBSD will get DTrace in the form of loadable kernel modules. That would be really FANTASTIC!!!
Reply With Quote
  #4   (View Single Post)  
Old 26th January 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,974
Default

Quote:
Originally Posted by Oko View Post
...there has been no work on systrace in past 3-4 years.
2.5 years. Integration of systrace 1.6d occured July '06. (1.6f was announced this month).

The developer, Niels Provos, stated in response to security questions
Quote:
Just keep in mind that ptrace has not been designed as a security primitive and while the ptrace backend can restrict the behavior of programs in non-adversarial settings, there are many ways to circumvent it.
Systrace was indeed an interesting application security management tool; but with the demise of the Hairy Eyeball project, general-purpose interest waned.

It's still used within OpenBSD, particularly for port development. I wouldn't develop a port, or submit one for the tree unless the port build was protected and tested with USE_SYSTRACE=Yes.

Last edited by jggimi; 26th January 2009 at 06:27 PM.
Reply With Quote
  #5   (View Single Post)  
Old 26th January 2009
DraconianTimes's Avatar
DraconianTimes DraconianTimes is offline
Security Geek
 
Join Date: May 2008
Location: United Kingdom
Posts: 37
Default

OK, thanks for the replies. Looks like I'm going to have to wait patiently for FGAP...
Reply With Quote
  #6   (View Single Post)  
Old 27th January 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by DraconianTimes View Post
OK, thanks for the replies. Looks like I'm going to have to wait patiently for FGAP...
I read the link you posted.
Quote:
* only allow binding to port 80/tcp

* only allow read access to file foo

* only allow write access under $HOME/.mozilla
That is lame. Can't you do last to things just withe permissions? Even with
the root access the last two goals can be easily accomplished in BSD world with flags and
kernel security levels. First one looks to me could be easily done with PF.

Systrace is far more serious tool as originally designed.

Last edited by Oko; 27th January 2009 at 12:15 AM.
Reply With Quote
  #7   (View Single Post)  
Old 27th January 2009
DraconianTimes's Avatar
DraconianTimes DraconianTimes is offline
Security Geek
 
Join Date: May 2008
Location: United Kingdom
Posts: 37
Default

Quote:
Originally Posted by Oko View Post
That is lame. Can't you do last to things just withe permissions? Even with
the root access the last two goals can be easily accomplished in BSD world with flags and
kernel security levels. First one looks to me could be easily done with PF.
Regarding your first point, PF can control access to 80/tcp, but that is system wide - It won't let me tie it down to a specific application.
As for security levels, IIRC the OpenBSD team had actually dismissed them. I haven't got the link to hand, but there were a couple of interviews with senior devs who had said the concept was flawed.

I'll try to dig out the links when I get home tonight.

Cheers.

UPDATE 2009-01-27 2205Z

Here's the link regarding secure levels: http://www.theregister.co.uk/2006/01...evel_bsd_unix/

Last edited by DraconianTimes; 27th January 2009 at 10:07 PM. Reason: update info
Reply With Quote
  #8   (View Single Post)  
Old 30th January 2009
Randux Randux is offline
Disgruntled desktop user
 
Join Date: May 2008
Location: Siberia
Posts: 100
Default

Interesting the Register is calling deRadt a "vendor". Last time I looked, OpenBSD was being given away (as in free) and distributed under the freeest of terms (BSD license: don't say you wrote this).

Amazing how all the whiners expect something for nothing. Entitlement is a very sick idea
__________________
BSDForums.org refugee #27
Multibooting with LILO
Reply With Quote
  #9   (View Single Post)  
Old 30th January 2009
DraconianTimes's Avatar
DraconianTimes DraconianTimes is offline
Security Geek
 
Join Date: May 2008
Location: United Kingdom
Posts: 37
Default

Quote:
Originally Posted by Randux View Post
Interesting the Register is calling deRadt a "vendor". Last time I looked, OpenBSD was being given away (as in free) and distributed under the freeest of terms (BSD license: don't say you wrote this).

Amazing how all the whiners expect something for nothing. Entitlement is a very sick idea
Indeed, it's like the idiots who come onto misc@ being abusive about the lack of x, y or z. I suppose that the Register struggles with terminology to describe roles in FOSS, especially when comparing against the more traditional commercial offerings...
Reply With Quote
Old 31st January 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

I read the article. It is very superficial. To me it looks like it is written by a guy with lack of technical knowledge about the matter he is trying to talk about but great sense of humor.
Quote:
One of the best things about OpenBSD is that it's a great operating system for new users to Unix.
I am going to use this every time I am annoyed by an Ubuntu user.

Joking aside, if you carefully read my post above I said that it looks to me that I could use combination of flags and security levels to accomplish 2 and 3.
I have never said that kernel security level alone can do any good.
Without detailed knowledge about objectives of cited Open Solaris projects it is just my guessing what is the problem they are trying to fix.

Last edited by Oko; 31st January 2009 at 07:35 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
equivalent to freebsd fetch pbd OpenBSD General 9 7th August 2009 11:45 AM
Systrace Oko OpenBSD Security 1 29th December 2008 01:52 PM
Remastersys FreeBSD equivalent? businessgeeks FreeBSD General 2 4th August 2008 01:44 PM
FreeBSD equivalent of DOS's fdisk /mbr Nobber FreeBSD General 5 3rd June 2008 07:19 AM
Help me boot OpenSolaris again! Nobber Solaris 2 14th May 2008 10:49 PM


All times are GMT. The time now is 05:17 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick