Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fine grained control at package level #28

Open
S30tt opened this issue Feb 2, 2023 · 5 comments
Open

Fine grained control at package level #28

S30tt opened this issue Feb 2, 2023 · 5 comments

Comments

@S30tt
Copy link

S30tt commented Feb 2, 2023

Describe the solution you'd like
I would like the ability to control/tune the audit alerts at a package level.

Additional context
By placing a packj.yaml file at project level, I would like the ability to have a global set of audit alert config and then be able to override this for a particular package. This means we still get full audit alerting but can silence or tune the values for a package we have reviewed and trust. I guess this would need to be for a version or hash incase and updated version becomes malicious.
@ashishbijlani
Copy link
Collaborator

This is a good feature to support. Would love to get your code contributions to enable this.

@avideci
Copy link

avideci commented Jul 19, 2023

Hey, I developed a toolkit just for that that utilizes eBPF and is tested on various use cases, Including runtime RCE.
https://github.com/avilum/secimport

It is actually MITM between the interpreter and the kernel, and it is able to log and stop/kill the process in case of violation.
The policy is defined in module level, and can be traced: https://github.com/avilum/secimport#the-solution

@avideci
Copy link

avideci commented Jul 19, 2023 

modules:
  requests:
    destructive: true     # when true, secimport will kill on vilation instead of logging.
    syscall_allowlist:
      - fchmod
      - getentropy
      - getpgrp
      - getrlimit
...

that translates to:

...
    "/workspace/Python-3.10.0/Lib/logging/__init__.py": [
        " clock_gettime",
        " getpid",
        " write"
    ],
    "/workspace/Python-3.10.0/Lib/multiprocessing/process.py": [
        " getcwd",
        " getpid",
        " getrandom"
    ],
    "/workspace/Python-3.10.0/Lib/multiprocessing/util.py": [
        " prlimit64"
    ],
    "/workspace/Python-3.10.0/Lib/os.py": [
        " read"
    ],
    "/workspace/Python-3.10.0/Lib/platform.py": [
        " uname"
    ],
    "/workspace/Python-3.10.0/Lib/posixpath.py": [
        " close",
        " fstat",
        " getcwd",
        " getdents64",
        " openat"
    ],
    "/workspace/Python-3.10.0/Lib/random.py": [
        " getrandom"
    ],
...

And compiled into an eBPF program using bpftrace.

Everything can be done using secimport's CLI

@ashishbijlani
Copy link
Collaborator

Very cool! How does one generate an accurate allow-list?

@KyeRussell
Copy link
Contributor

FWIW this in my eyes seems integral when actually applying this package to a codebase.

In reality, I may determine that it is OK for a particular dependency to e.g. make network calls, given the problem that it sets out to solve. Or I may determine that a particular dependency's "old/abandoned" status is OK, but may still care about it otherwise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@KyeRussell @ashishbijlani @avideci @S30tt