packj icon indicating copy to clipboard operation
packj copied to clipboard
verified publisher icon ossillate-inc

Fine grained control at package level

Open S30tt opened this issue 2 years ago • 5 comments

Describe the solution you'd like I would like the ability to control/tune the audit alerts at a package level.

Additional context By placing a packj.yaml file at project level, I would like the ability to have a global set of audit alert config and then be able to override this for a particular package. This means we still get full audit alerting but can silence or tune the values for a package we have reviewed and trust. I guess this would need to be for a version or hash incase and updated version becomes malicious.

S30tt avatar Feb 02 '23 11:02 S30tt

This is a good feature to support. Would love to get your code contributions to enable this.

ashishbijlani avatar Feb 02 '23 17:02 ashishbijlani

Hey, I developed a toolkit just for that that utilizes eBPF and is tested on various use cases, Including runtime RCE. https://github.com/avilum/secimport

It is actually MITM between the interpreter and the kernel, and it is able to log and stop/kill the process in case of violation. The policy is defined in module level, and can be traced: https://github.com/avilum/secimport#the-solution

avideci avatar Jul 19 '23 10:07 avideci 

modules:
  requests:
    destructive: true     # when true, secimport will kill on vilation instead of logging.
    syscall_allowlist:
      - fchmod
      - getentropy
      - getpgrp
      - getrlimit
...

that translates to:

...
    "/workspace/Python-3.10.0/Lib/logging/__init__.py": [
        " clock_gettime",
        " getpid",
        " write"
    ],
    "/workspace/Python-3.10.0/Lib/multiprocessing/process.py": [
        " getcwd",
        " getpid",
        " getrandom"
    ],
    "/workspace/Python-3.10.0/Lib/multiprocessing/util.py": [
        " prlimit64"
    ],
    "/workspace/Python-3.10.0/Lib/os.py": [
        " read"
    ],
    "/workspace/Python-3.10.0/Lib/platform.py": [
        " uname"
    ],
    "/workspace/Python-3.10.0/Lib/posixpath.py": [
        " close",
        " fstat",
        " getcwd",
        " getdents64",
        " openat"
    ],
    "/workspace/Python-3.10.0/Lib/random.py": [
        " getrandom"
    ],
...

And compiled into an eBPF program using bpftrace.

Everything can be done using secimport's CLI

avideci avatar Jul 19 '23 10:07 avideci

Very cool! How does one generate an accurate allow-list?

ashishbijlani avatar Jul 19 '23 14:07 ashishbijlani

FWIW this in my eyes seems integral when actually applying this package to a codebase.

In reality, I may determine that it is OK for a particular dependency to e.g. make network calls, given the problem that it sets out to solve. Or I may determine that a particular dependency's "old/abandoned" status is OK, but may still care about it otherwise.

KyeRussell avatar Mar 29 '24 06:03 KyeRussell