secimport is an eBPF-based security toolkit that enforces syscall restrictions per Python module, providing granular control over your application's security profile. Think of it as seccomp-bpf for Linux, but operating at the Python module level.
- Module-Level Security: Define and enforce syscall restrictions per Python module
- Automated Profiling: Traces your application to create tailored security profiles
- Multiple Enforcement Modes: Log, stop, or kill processes on policy violations
- Production Ready: Negligible performance impact thanks to eBPF
- Supply Chain Protection: Mitigate risks from vulnerable dependencies
git clone https://github.com/avilum/secimport.git
cd secimport/docker
./build.sh && ./run.sh
-
Install Python with USDT probes:
# Configure Python with --enable-dtrace # See detailed instructions in our wiki
-
Install a supported backend (eBPF or DTrace)
# Ubuntu/Debian apt-get install bpftrace # For other platforms, see our Installation wiki
-
Install secimport
pip install secimport
secimport interactive
# In the Python shell that opens:
>>> secimport trace # Start tracing
>>> import requests # Perform actions you want to profile
>>> # Press CTRL+D to stop tracing
>>> secimport build # Build sandbox from trace
>>> secimport run # Run with enforcement
secimport trace # Trace a new Python process
secimport trace_pid <PID> # Trace an existing process
secimport build # Build sandbox from trace
secimport run [options] # Run with enforcement
# Stop on violation
secimport run --stop_on_violation=true
# Kill on violation
secimport run --kill_on_violation=true
import secimport
# Replace standard import with secure import
requests = secimport.secure_import('requests', allowed_syscalls=['open', 'read', ...])
Beside the sandbox that secimport builds,
The secimport build
command creates an nsjail sandbox with seccomp profile for your traced code.
nsjail
enables namespace sandboxing with seccomp on linux
secimport
automatically generates seccomp profiles to use with nsjail
as executable bash script.
It can be used to limit the syscalls of the entire python process, as another layer of defence.
- https://www.oligo.security/
- Talk: secimport at BSides
- Blog Posts:
We welcome contributions! See our Contributing Guide for details.
This project is licensed under the MIT License - see the LICENSE file for details.