pySCG: Python Hardening Guide: we should mention and explain audit hooks, sys.audit and sys.addaudithook

[myteron]

sys.audit allows to create events that can be used during audits as demonstrated in example01.py
aduprocess.py Popen class has a line that creates an audit event looking like this:
sys.audit("subprocess.Popen", executable, args, cwd, env)

These type of events are Python internal and not handled unless there is a listener/hook.
The example01.py creates the audit method that is attached/hooked into the Python audit system via sys.addaudtihook(audit).
The audit method allows any sort of handling of an event including suppressing functions.

example01.py:

"""
Playing around with audit hooks
https://www.youtube.com/watch?v=sIibadhDqaw
https://github.com/ossf/wg-best-practices-os-developers/issues
"""
import sys
from typing import Any
import subprocess


def audit(event: str, args: tuple[Any, ...]) -> None:
    """ foo """
    # if "subprocess" in event:
    print("audit::", event, args)


sys.addaudithook(audit)

# compile(None, '<stdin>')
# print('hi')
subprocess.Popen(('echo', 'hi'))
import email

In our rules about logging we recommend to prevent sensitive information such as system internals to end-users. We recommend to split logging between internal and user facing. The use facing has sensitive system-internal information removed. Audit logs should be mentioned as part of one of the log related rules. We will need to investigate if the use of audit logs can be recommended to solve the issue around splitting back-ed, front-end.

related guideline:
PEP 578 – Python Runtime Audit Hooks