     |
Policy Enforcement
Systrace is a policy enforcement tool available with the OpenBSD operating system. It recognizes the importance of the system call interface for security and uses it as a proper policy enforcement point. Policy enforcement tools usually consist of three parts:
- Policy Information Point
This is the place where a currently existing policy can be queried, e.g. to avoid sending useless requests in advance because they will be denied. Or e.g. to allow a personalized GUI to extract menu points which are available to a client, the others either not being shown or greyed out.
- Policy Decision Point
The place where authorization or auditing decisions really are made (i.e. defined). This is usually a registry like LDAP or some file based repository. The decisions are usually made way ahead of actual requests for services and are more of a bookkeeping task.
- Policy Enforcement Point
This is the place where a current policy is checked, e.g. whether a client has the proper rights to access a service. Tied this concept of a checkpoint is the concept of choke points or bottlenecks through which every request needs to go. Otherwise the whole enforcement point concept is useless if requests can bypass the checkpoint. A network firewall is a typical policy enforcement point. Or the entry of a system call into the operating system.