Need some security advice for systemtap
David Smith
dsmith at redhat.com
Tue Jun 5 20:56:39 UTC 2007
grundy wrote:
> I think a good way to handle it would be to have a configuration file
> like /etc/sudoers and setuid root stap (or staprun). The access control
> would then be built into systemtap.
>
> Here are my ideas of what would make a "good" set of controls:
>
> - level of tap script they can run, e.g. guru mode code or not
> - sections of the kernel they can access (maybe this is
> better represented as what tapsets may they use)
> - how much overhead are they allowed to put on the system
> - are they allowed to look at data for other user's processes
> - are they allowed to reference line #'s or direct memory addrs
That sounds nice, but I'm worried about implementing such a feature
correctly, on at least two levels. First, you assume that systemtap can
correctly characterize the effects a script will have on the system.
Then you want to add an ACL system into systemtap based on those effects.
One advantage the proposed system has is that there *is* a human in the
loop, a root user who will (hopefully) look at a script and check it out
before "blessing" it.
--
David Smith
dsmith at redhat.com
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)
More information about the security
mailing list