secimport is an eBPF-based security toolkit that enforces syscall restrictions per Python module, providing granular control over your application's security profile. Think of it as seccomp-bpf for Linux, but operating at the Python module level.
- Module-Level Security: Define and enforce syscall restrictions per Python module
- Automated Profiling: Traces your application to create tailored security profiles
- Multiple Enforcement Modes: Log, stop, or kill processes on policy violations
- Production Ready: Negligible performance impact thanks to eBPF
- Supply Chain Protection: Mitigate risks from vulnerable dependencies
git clone https://github.com/avilum/secimport.git
cd secimport/docker
./build.sh && ./run.shCommand line:
secimport --help
Usage: python -m secimport.cli [OPTIONS] COMMAND [ARGS]...
secimport is a comprehensive toolkit designed to enable the tracing, construction, and execution of secure Python runtimes. It leverages USDT probes and eBPF/DTrace technologies to enhance overall security measures.
WORKFLOW: 1. secimport trace / secimport shell 2. secimport build 3. secimport run
QUICKSTART: $ secimport interactive
For more details, please see https://github.com/avilum/secimport/wiki/Command-Line-Usage
╭─ Options ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --install-completion Install completion for the current shell. │
│ --show-completion Show completion for the current shell, to copy it or customize the installation. │
│ --help Show this message and exit. │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ trace Trace a Python process using an entrypoint or interactive shell. │
│ shell Alias for 'trace'. │
│ trace-pid Trace a running process by PID. │
│ build Build a sandbox profile from a trace log. │
│ run Run a Python process inside the sandbox. │
│ interactive Run secimport in interactive mode. │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
secimport interactive
# In the Python shell that opens:
>>> secimport trace # Start tracing
>>> import requests # Perform actions you want to profile
>>> # Press CTRL+D to stop tracing
>>> secimport build # Build sandbox from trace
>>> secimport run # Run with enforcementsecimport trace # Trace a new Python process
secimport trace_pid <PID> # Trace an existing process
secimport build # Build sandbox from trace
secimport run [options] # Run with enforcement# Stop on violation
secimport run --stop_on_violation=true
# Kill on violation
secimport run --kill_on_violation=trueimport secimport
# Replace standard import with secure import
requests = secimport.secure_import('requests', allowed_syscalls=['open', 'read', ...])-
Install Python with USDT probes:
# Configure Python with --enable-dtrace # See detailed instructions in our wiki
-
Install a supported backend (eBPF or DTrace)
# Ubuntu/Debian apt-get install bpftrace # For other platforms, see our Installation wiki
-
Install secimport
pip install secimport
Beside the sandbox that secimport builds,
The secimport build command creates an nsjail sandbox with seccomp profile for your traced code.
nsjail enables namespace sandboxing with seccomp on linux
secimport automatically generates seccomp profiles to use with nsjail as executable bash script.
It can be used to limit the syscalls of the entire python process, as another layer of defence.
- https://www.oligo.security/
- Talk: secimport at BSides
- Blog Posts:
We welcome contributions! See our Contributing Guide for details.
This project is licensed under the MIT License - see the LICENSE file for details.