Task 2: Create a first Policy
To protect the code, data, and secrets of an application, we need to run the application under control of a security policy. We learn in this task how to generate a simple security policy (aka session) for the simple program that we compiled in task 1.
Task 2-a: Attest CAS
To be able to create a security policy, we first need to attest and verify the CAS instance. Perform the following steps:
- attest and verify the public CAS
scone-cas.cfusing the SCONE CLI
- tolerate all vulnerabilities that might affect
scone-cas.cfto be your default CAS, and
- list all CAS instances that you have attested so far using scone session list
Please perform these steps on your development container that you set up in task 1.
Task 2-b: Create a Security Policy
Create a session for program
scone-print-arg-env from task 1. Perform the following steps:
check the flags for generating a session, i.e., a SCONE CAS policy
scone session create --help
create a random session name - to avoid conflicts with others users of this CAS:
Inspect the provided session in file
scone session create session.yamlfails with error message
variable $SESSION is not defined
fix this error using flag
verify that creating the session a second time will fail
Task 2-c: Policy History
Each policy has a unique session hash similar to a git commit hash. Each policy has a unique history defined by the predecessor field
- create a simple policy (verion 1)
- update this policy setting the predecessor to the session hash of version 1
- create version 3 of the policy, i.e., update version 2 and set the predecessor to the session hash of version 2.
Task 2-d: Run application under policy control
scone-print-arg-env under control of a policy.
The SCONE runtime (part of application) needs to know with which policy it should.
- Set the environment variable
SCONE_CONFIG_ID. It defines which policy to use. Note that adversary could change this policy - but only correct policy grants access to right secrets.
- Run the program and show that it prints the environment variables and arguments from the policy.
- Try to set arguments and environment variables before executing
scone-print-arg-env. Show that setting the arguments and environment variables has no impact on the application, i.e., they are all ignored.