Fine grained control at package level

[S30tt]

Describe the solution you'd like
I would like the ability to control/tune the audit alerts at a package level.

Additional context
By placing a packj.yaml file at project level, I would like the ability to have a global set of audit alert config and then be able to override this for a particular package. This means we still get full audit alerting but can silence or tune the values for a package we have reviewed and trust. I guess this would need to be for a version or hash incase and updated version becomes malicious.

[ashishbijlani]

This is a good feature to support. Would love to get your code contributions to enable this.

[avideci]

Hey, I developed a toolkit just for that that utilizes eBPF and is tested on various use cases, Including runtime RCE.
https://github.com/avilum/secimport

It is actually MITM between the interpreter and the kernel, and it is able to log and stop/kill the process in case of violation.
The policy is defined in module level, and can be traced: https://github.com/avilum/secimport#the-solution

[avideci]

modules:
  requests:
    destructive: true     # when true, secimport will kill on vilation instead of logging.
    syscall_allowlist:
      - fchmod
      - getentropy
      - getpgrp
      - getrlimit
...

that translates to:

...
    "/workspace/Python-3.10.0/Lib/logging/__init__.py": [
        " clock_gettime",
        " getpid",
        " write"
    ],
    "/workspace/Python-3.10.0/Lib/multiprocessing/process.py": [
        " getcwd",
        " getpid",
        " getrandom"
    ],
    "/workspace/Python-3.10.0/Lib/multiprocessing/util.py": [
        " prlimit64"
    ],
    "/workspace/Python-3.10.0/Lib/os.py": [
        " read"
    ],
    "/workspace/Python-3.10.0/Lib/platform.py": [
        " uname"
    ],
    "/workspace/Python-3.10.0/Lib/posixpath.py": [
        " close",
        " fstat",
        " getcwd",
        " getdents64",
        " openat"
    ],
    "/workspace/Python-3.10.0/Lib/random.py": [
        " getrandom"
    ],
...

And compiled into an eBPF program using bpftrace.

Everything can be done using secimport's CLI

[ashishbijlani]

Very cool! How does one generate an accurate allow-list?

[KyeRussell]

FWIW this in my eyes seems integral when actually applying this package to a codebase.

In reality, I may determine that it is OK for a particular dependency to e.g. make network calls, given the problem that it sets out to solve. Or I may determine that a particular dependency's "old/abandoned" status is OK, but may still care about it otherwise.