From karim.adel at gmail.com Mon Jan 31 10:15:47 2005 From: karim.adel at gmail.com (Kim Onnel) Date: Wed Feb 9 08:28:38 2005 Subject: [Systrace] Basic usage of systrace Message-ID: hi, I'm a network engineer at an ISP, my daily work involves routers and their protocols, definitely, there is a gap between what we do and the systems world, specialy when it comes to security. we've been using telnet and of course, there is no execuse for that, but its a must until we have teh luxury to upgrade our weak network OS (ios) to get around that, i planned to setup 2 OpenBSD boxes as bastion hosts, where people would jump-off to the rest of the network devices, from there i will enforce login policy, some googling lead me here, i have grasped what systrace does, but its not easy for me to create policies, my unix background has helped me so far to just install the BSD and get it running, i intend to restrict users to only be able to telnet (it would be great if i can restrict them to my network subnet range as well) no need for anything else, ls or basic bash commands, from what i've seen, i must be quite aware of the logging and the 'under-the hood' operation of programs to write a policy for it (e.g.: use the connect, open socket, use gethostbyname, use....) am i right about that , or can i just easiy allow users to telnet and thast it, i am confused with this part, i know this mailing list is all about coplex systrace policies and probably development, but can anyone reply privately on whats needed to do my simple task, Regards