Systrace - Interactive Policy Generation for System Calls
Niels Provos has released systrace for
OpenBSD and NetBSD. "Some work has started on a GNU/Linux port.". Also see, this post regarding systrace and the recent apache vulnerabilities.
Systrace provides
- confinement of complex or untrusted binary applications.
- interactive policy generation with graphical user interface.
- support for different emulations: GNU/Linux, BSDI, etc..
- non-interactive policy enforcement.
- remote monitoring and intrusion detection.
- automatic policy generation.
With a correctly configured policy the impact of programming errors in system daemons can be constrained significantly.