Census · declarative access management

Fleet access — declarative, as code

Census brings devices in line with one signed declaration: role accounts, groups, sudoers, systemd limits. It shows the diff before applying, finds and fixes drift, and breaks nothing.

Declaration what a device should have is written in signed files, not accumulated by hand
Idempotent re-running changes nothing that is already correct; foreign accounts and groups are untouched
Open source a Rust core under an open license — reviewable by your security team
Linux and Astra Linux Off the login path — login does not depend on Census

01 · How it works

Declaration → plan → apply → control

The same cycle as infrastructure-as-code, applied to access: first you see what will change, then an atomic apply.

01

Declaration

Roles, accounts, groups, sudoers and limits — signed TOML files on disk. A source of truth, not a history of manual edits.

/etc/census/*.toml

02

Plan

A full diff against the device's current state — before any change. Applies nothing.

census plan

03

Apply

Idempotent and atomic. Census marks what it owns and will not remove the last access path — it is protected from locking itself out.

census apply

04

Control

Drift from the declaration is visible per device and gets brought back to the declaration instead of piling up for years.

census status

Deliver the declaration over any channel: Tessera Control, Ansible, a golden image or a courier. Census just reads files from disk — the device needs no network, let alone the internet.

02 · Effective-permission audit

Who really has access — visible before the regulator asks

A built-in audit of effective filesystem permissions. Read-only: changes nothing, works offline.

Filesystem permission snapshot

Effective permissions per path: owners, groups, ACLs, SUID bits. Not "as documented" — as it actually is on the device right now.

census audit fs

Who can reach an object

For a critical file or directory — the full list of subjects who can actually read or write it. Follows the chains: group membership, ACLs, parent-directory permissions.

census audit expose

Mandatory labels included

Reachability is computed with mandatory access restrictions, not just classic permissions. On Astra Linux — both coordinates: integrity (MIC) and confidentiality.

Astra (PARSEC) and SELinux

A report for the security team

Hidden paths to critical files show up before an auditor or an attacker finds them. The audit changes nothing on the device — safe to run in production.

read-only · offline

03 · Together with Tessera

Separation of duties with Tessera Access

Census prepares access ahead of time, Tessera verifies identity at login. The products work as a pair — and each on its own.

Off the login path

Accounts, groups and limits are materialized in advance, not at login time. A failing or absent Census never blocks an engineer's login — it simply is not on the authentication path.

Role accounts instead of personal ones

A device has a handful of role accounts (operator, maintenance, admin) — not an account per person. The engineer's identity lives in the Tessera certificate: accountability without sprawl.

Lockout protection

Census will not remove the last access path to a device — emergency login stays protected. Apply is atomic: there is no such thing as a half-applied declaration.

One platform with Tessera

Roles in the Census declaration and in Tessera certificates share one vocabulary — no double bookkeeping. Declarations are delivered via Tessera Control — or any channel of yours.

Personal offline login to these same devices — Tessera Access: certificates, contractor delegation, audit. Learn more →

Next step — a pilot on a slice of your fleet

We describe your roles as a declaration, show the diff against the current state and an effective-permission audit report.