What is sysmask? -------------------------------------------------- Sysmask is a security solution designed for Linux systems. It can protect the system integrity against vulnerabilities in the great majority of codes, whether known or unknown, patched or non-patched, in user programs, libraries or the kernel. Sysmask can be configured to restrict the access of a process or a user to system resources: files, sockets, devices, system calls, disk space, memory usage. The restriction policy can be defined with great precision, sometimes contextual. Processes with tightly restricted access rights may continue to do their normal work as before, but if they are compromised, the malicious code that gets run will be unable to harm the system except for the job that is assigned to the compromised process. A fully deployed sysmask can protect the system against any vulnerability except those in a small portion of the kernel, which is historically very solid, plus those in the sysmask package itself. With respect to other security solutions, several novel features have been introduced in sysmask. 1. It offers protection against most kernel vulnerabilities that occur or will occur in practice, by allowing selective closure of unused system calls and activities for untrusted processes or users. 2. Using configuration definitions with a simple user-friendly syntax, interactive security reactions can be defined in various ways, leading to flexible and highly customizable security schemes without the need to recompile existing softwares nor even to modify their configurations. Custom interactive reactions greatly enhance the security level, as the system behavior becomes unpredictable to outside attackers with no knowledge of these reactions. 3. It can protect against both system level risks (unauthorized accesses etc.) and user level risks (viruses etc.), and includes efficient resource consumption limitations that overcome the shortcomings of traditional rlimit setups. 4. It supports runtime reconfiguration with a menu-based user interface that accepts feedback configuration. Sysmask introduces only minimal or negligeable performance overhead, except for a few programs under special conditions and requiring highly selective protection. The package of sysmask is also very simple and compact, with its critical parts independent of outside codes (libraries), minimizing the probability of bugs contained in the package itself. Sysmask allows you to radically reduce the need to update your system components for security reasons, because you can now live with vulnerabilities without being hurt. Traditional anti-virus scanners are no longer needed, let alone the need to update them, because sysmask can prevent any virus from being installed.