Auditing

[gneray]

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

[JonasCir]

I just stumbled across this ticket and wanted to add my two cents:

I couple of years ago, I wrote an audit/analysis tool (also in Rust) for SELinux policies as part of my bachelor thesis. The tool used the following graph representation:

• actors and resources were separately typed/labeled nodes
• directed edges were introduced for each way an actor could get access to a resource (i.e., there could be multiple access vectors from one actor to a resource)
• each edge was tagged with an access operation (e.g., read, write, execute) and a label which stated the specific "reason" for the access vector being present (i.e., directly allowed by rule X, allowed by role Y etc.)

With this you can easily query and visualize the access control space (i.e., all the resources an actor has access to) among other things.

A super nice feature that I built allowed to check for confidentiality, integrity, and isolation violating information flows in the policy by:

• assigning security domains to actors and resources
• and then scan for violating edges:
  • integrity: there must not exist any "read" operation from untrusted to trusted domains such that the trusted domain can be compromised
  • confidentiality: there must not exist any "write" operation from trusted to untrusted domains such that sensitive information can be leaked
  • isolation: domains are completely distinct

I'm aware that this is a rather hardcore approach to policy auditing and I don't know if this fits in the scope of what you had in mind when you first opened this ticket. But having an audit framework where people can plugin their own, potentially sophisticated scanners (i.e., to proof isolation of two domains if need be) would definitely be a killer feature and great selling point for Oso in my opinion.

I always wanted to write a small prototype for Oso based on my previous work but never found the time. In principle, however, I'm super interested in contributing to such an auditing tool as I see great potential here.

P.S.: I wanted to call my prototype dosometer in homage to dosimeters which measure your uptake in radiation. dosometer would then measure your uptake in dangerous policy rules. Maybe you like the name and consider it, dunno :smile:

[gneray]

Great to get some feedback here. And super well thought out. We will circle back as/when we get to this. Thanks!