[Systrace] tuning systrace policy for expect
Kim Onnel
karim.adel at gmail.com
Tue May 10 04:59:40 EDT 2005
Hi,
I'm trying to generate a policy for an expect script to run
Script : rpm1
-bash-3.00# cat rpm1
./rtr3 -cisco -telnet x.x.1.1
Which calls an expect script called rtr3 as you can see:
-bash-3.00# more rtr3
#!/usr/local/bin/expect --
#
#
# Connect to a Cisco/Juniper/Unix router and execute one or multiple commands
#
# Syntax: rtr3 [<flags>] <router> [<command string> [: <command string>] ]"
#
# $Log: rtr3,v $
# Revision 2.3 2004/12/01 15:55:28 markus
# Remove debug code.
#
# Revision 2.2 2004/12/01 15:36:22 markus
# Implemented command line flags to overwrite default settings.
# (-username -password -enable_password)
#
# Revision 2.1 2004/08/16 10:52:12 markus
# Module logon_cisco, modified error messagen
#
# Revision 2.0 2004/06/20 19:00:20 markus
# Added support for Juniper routers
# Added support for SSH transport
# Restructured execute_command_*
# Restructured logon_*
#
# Revision 1.6 2004/03/08 14:46:46 markus
# Fix execute_command in branch ZEBRA
#
# Revision 1.5 2003/11/28 12:36:36 markus
# Separated execute_command logic to distinguish between CISCO, ZEBRA, and UNIX.
#
# Revision 1.4 2003/11/28 10:28:23 markus
# The script now properly handles Cisco routers that go into priviledged mode
# without an explicit enable command.
# The script not prints a timestamp upon invocation.
# Output from "spawn telnet" and the logon procedure is now suppressed.
# In non-interactive mode the command output is surrounded by begin
and end markers.
# The script uses now expect "#$" when waiting for command output.
This fixes a bug
# where lengthy output was truncated.
The rtr3 script needs a .rtr3 file which is located in users home
directory ~/.rtr3 and i have it in place,
I've tried to auto generate with systrace -A and tune according to
errors, and this is what i have :
-bash-3.00# more home_test_rtr3
Policy: /home/test/rtr3, Emulation: native
native-connect: sockaddr match "inet-*:23" then permit
native-fsread: filename eq "/home" permit
native-fsread: filename eq "/tmp" then permit
native-fsread: filename eq "/usr" then permit
native-fsread: filename eq "/var" then permit
native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit
native-socket: sockdom eq "AF_UNIX" and socktype eq
"SOCK_DGRAM" then permit
native-umask: permit
native-write: permit
native-mmap: permit
native-mprotect: permit
native-exit: permit
native-write: permit
native-writev: permit
native-issetugid: permit
native-mprotect: permit
native-mmap: permit
native-__sysctl: permit
native-fsread: filename eq "/var/run/ld.so.hints" then permit
native-fstat: permit
native-close: permit
native-fsread: filename eq "/usr/lib/libc.so.34.1" then permit
native-read: permit
native-mquery: permit
native-fsread: filename eq "/usr/local/lib/libtcl84.so.1.0" then permit
native-fsread: filename eq "/usr/lib/libutil.so.11.0" then permit
native-fsread: filename eq "/usr/lib/libm.so.2.0" then permit
native-munmap: permit
native-sigprocmask: permit
native-fsread: filename eq "/etc/malloc.conf" then permit
native-break: permit
native-lseek: permit
native-sigaction: permit
native-fsread: filename eq "/home/test/." then permit
native-chdir: filename eq "/usr/local/lib/tcl8.4" then permit
native-fsread: filename eq "/usr/local/lib/tcl8.4/encoding" then permit
native-chdir: filename eq "/usr/local/lib/tcl8.4/encoding" then permit
native-fsread: filename eq "/" then permit
native-fsread: filename eq "/usr/local/lib/tcl8.4/encoding/."
then permit
native-fsread: filename eq "/usr/local/lib/tcl8.4" then permit
native-fcntl: permit
native-fstatfs: permit
native-getdirentries: permit
native-fsread: filename eq "/usr/local/lib" then permit
native-fsread: filename eq "/usr/local" then permit
native-fsread: filename eq "/usr" then permit
native-fchdir: permit
native-fsread: filename eq
"/usr/local/lib/tcl8.4/encoding/iso8859-1.enc" then permit
native-ioctl: permit
native-chdir: filename eq "/usr/local/lib" then permit
native-fsread: filename eq "/usr/local/lib/tcl8.4/." then permit
native-fsread: filename eq "/usr/local/lib/tcl8.4/init.tcl" then permit
native-getpid: permit
native-fswrite: filename eq "/dev/tty" then permit
native-fsread: filename eq
"/usr/local/lib/expect5.43/expect.rc" then permit
native-fsread: filename eq "/home/test/.expect.rc" then permit
native-chdir: filename eq "/home" then permit
native-fsread: filename eq "/home/test" then permit
native-chdir: filename eq "/home/test" then permit
native-fsread: filename eq "/home" then permit
native-fsread: filename eq "/home/test/rtr3" then permit
native-write: permit
native-fsread: filename eq "/home/test/.rtr3" then permit
native-pipe: permit
native-gettimeofday: permit
native-fsread: filename eq "/tmp" then permit
native-fswrite: filename eq "/tmp/tclt24674" then permit
native-fork: permit
native-dup2: permit
native-execve: filename eq "/<non-existent filename>:
/home/test/bin/date" and argv eq "date" then permit
native-execve: filename eq "/bin/date" and argv eq "date" then permit
native-getsockname: permit
native-wait4: permit
native-fswrite: filename eq "/dev/ptm" then permit
native-fsread: filename eq "/var/run/dev.db" then permit
native-pread: permit
native-setsid: permit
native-fswrite: filename eq "/dev/ttyp2" then permit
native-vfork: permit
native-execve: filename eq "/bin/sh" and argv eq "sh -c
/bin/stty sane < /dev/ttyp2" then permit
native-execve: filename eq "/bin/sh" and argv eq "/bin/sh -c
exec telnet 172.31.1.1" then permit
native-select: permit
native-fsread: filename eq "/dev/null" then permit
native-nanosleep: permit
native-exit: permit
But that doesnt work and the error i get on console is:
-bash-3.00# May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-issetugid(253), args: 0
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-mprotect(74), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-mmap(197), args: 32
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-write(4), args: 12
May 10 11:49:05 bastion2 systrace: deny user: test, prog:
/home/test/rtr3, pid: 32147(2)[26037], policy: /home/test/rtr3,
filters: 0, syscall: native-exit(1), args: 4
Can anyone help me modify my policy ?
More information about the systrace
mailing list