Filter based on program

Our getuserfromtcp() function also returns the PID
On Linux systems, /proc/<PID>/exe is a symlink to the executed binary
We can permit only authorized programs to make outbound connections

    my %approved = qw(
            561c1c9071e8c5723c641273e725c1e3  /usr/bin/telnet
            9dc35c04c16d3f2ce2a8537961980913  /usr/bin/nc
        );

    ...

    my ($user, $pid) = getuserfromtcp $ip, $tcp;

    open EXE, "/proc/$pid/exe";
    my $md5 = Digest::MD5->new->addfile(*EXE)->hexdigest;
    close EXE;

    if ($pid > 0 && ! $approved{$md5}) {
        $ipq->set_verdict($msg->packet_id, NF_DROP);
        syslog "warning",
            "Blocking outbound connection attempt by unauthorized program";
    } else {
        $ipq->set_verdict($msg->packet_id, NF_ACCEPT);
    }

Only works for binaries.
For scripts, the interpreter is checked, not the script.

Next	© 2003 Michael C. Toren