{"id":13698269,"url":"https://github.com/coinbase/dexter","last_synced_at":"2025-04-09T18:32:12.898Z","repository":{"id":66163490,"uuid":"149800498","full_name":"coinbase/dexter","owner":"coinbase","description":"Forensics acquisition framework designed to be extensible and secure","archived":false,"fork":false,"pushed_at":"2019-06-21T21:02:42.000Z","size":150,"stargazers_count":118,"open_issues_count":10,"forks_count":20,"subscribers_count":21,"default_branch":"master","last_synced_at":"2024-04-14T16:48:47.467Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/coinbase.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-09-21T18:09:23.000Z","updated_at":"2024-02-17T13:29:15.000Z","dependencies_parsed_at":"2023-03-10T23:41:58.049Z","dependency_job_id":null,"html_url":"https://github.com/coinbase/dexter","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coinbase%2Fdexter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coinbase%2Fdexter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coinbase%2Fdexter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coinbase%2Fdexter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/coinbase","download_url":"https://codeload.github.com/coinbase/dexter/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248087860,"owners_count":21045602,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T19:00:42.794Z","updated_at":"2025-04-09T18:32:07.888Z","avatar_url":"https://github.com/coinbase.png","language":"Go","readme":"# Dexter\n\n[![CircleCI](https://circleci.com/gh/coinbase/dexter/tree/master.svg?style=svg)](https://circleci.com/gh/coinbase/dexter/tree/master)\n\nYour friendly forensics expert.\n\nDexter is a forensics acquisition framework designed to be extensible and secure.\n\nDexter runs as an agent backed by S3.  Investigators use Dexter on the command line to issue investigations and retrieve reports.  Investigations define facts that must be true about the systems in scope, and tasks that will be ran on the host.  After tasks are ran, Dexter generates reports that are individually encrypted back to the investigators that are authorized to view the data.\n\n## Architecture Overview\n\n![](doc/dexter.png?raw=true \"\")\n\n## Building\n\n### Prerequisites\n\n#### A working go environment\n\nYou must have go installed.  Please follow the [installation instructions](https://golang.org/doc/install) or use a alternative method such that you can successfully run `go` and have a properly setup `$GOPATH` defined in your environment.\n\nDexter uses Go modules, so you must `export GO111MODULE=on` in your environment.\n\n### Download the repository\n\nClone the repository into the correct place in your `$GOPATH`.\n\n```\ncd $GOPATH/src\nmkdir -p github.com/coinbase\ncd github.com/coinbase\ngit clone github.com/coinbase/dexter\ncd dexter\n```\n\n### Run tests\n\n```\nmake test\n```\n\n### Install\n\nDexter can be installed with:\n\n```\nmake install\n```\n\nOn linux, a bash completion script can be installed with `make bash`.\n\nDexter will need to be configured before it can be used.\n\n#### Environment variables\n\nDexter is configured with the following environment variables.  Some are only required when Dexter is running as a daemon, others are required both when acting as a daemon as well as a command line client.\n\n|Envar|Use|Daemon|Client|\n|---|---|:---:|:---:|\n|`DEXTER_AWS_S3_BUCKET`|The S3 bucket Dexter will use|✓|✓|\n|`DEXTER_POLL_INTERVAL_SECONDS`|The number of seconds in between Dexter S3 polls|✓||\n|`DEXTER_PROJECT_NAME_CONFIG`|Instructs Dexter on how to look up a local host's project name.  Contents must being with `file://`, followed by a local path, or `envar://`, followed by an envar name.|✓||\n|`DEXTER_OSQUERY_SOCKET`|Path to the local osquery socket|✓||\n|`DEXTER_AWS_ACCESS_KEY_ID`|AWS access key, used to override `AWS_ACCESS_KEY_ID`.  If not set, `AWS_ACCESS_KEY_ID` will be used instead.|✓|✓|\n|`DEXTER_AWS_SECRET_ACCESS_KEY`|AWS access key, used to override `AWS_SECRET_ACCESS_KEY`.  If not set, `AWS_SECRET_ACCESS_KEY` will be used instead.|✓|✓|\n|`DEXTER_AWS_REGION`|AWS access key, used to override `AWS_REGION`.  If not set, `AWS_REGION` will be used instead.|✓|✓|\n\n#### Amazon S3 access\n\nIn order to use Dexter, you will need to have access to an S3 bucket.\n\nDexter usage can be divided into three roles: daemon, investigator, and admin.\n\n##### Daemon\n\nDexter daemons will need to the following aws permissions to use the S3 bucket:\n\n* `ListBucket` on `investigations`\n* `ListBucket` on `investigations/*`\n* `ListBucket` on `investigators`\n* `ListBucket` on `investigators/*`\n* `GetObject` on `investigations`\n* `GetObject` on `investigations/*`\n* `GetObject` on `investigators`\n* `GetObject` on `investigators/*`\n* `PutObject` on `reports/*`\n* `PutObjectAcl` on `reports/*`\n\n##### Investigators\n\nInvestigators will require the following permissions to use Dexter:\n\n* `GetObject` on the entire bucket\n* `ListBucket` on the entire bucket\n* `PutObject` on `investigations/*`\n* `PutObjectAcl` on `investigations/*`\n\n##### Admins\n\nDexter admins should have all the permissions of investigators, as well as the following additional permissions:\n\n* `PutObject` on the entire bucket\n* `PutObjectAcl` on the entire bucket\n* `CopyObject` on the entire bucket\n* `DeleteObject` on the entire bucket\n\nOnly Dexter admins can add new users and archive reports.\n\n## Usage\n\nFull documentation for dexter is auto-generated [here](doc/dexter.md).\n\n### Setting up an investigator\n\nThe command [`dexter investigator init`](doc/dexter_investigator_init.md) can be used to create a new investigator on a new system.  You will set a new password which will be used when investigations are signed and reports are downloaded.\n\n```\n$ ./dexter investigator init hayden\nInitializing new investigator \"hayden\" on local system...\nSet a new password \u003e\nConfirm \u003e\nNew investigator file created: hayden.json\nThis must be uploaded to Dexter by your Dexter administrator.\n``` \n\nA dexter admin can now place this file in the investigators directory of the S3 bucket.\n\nThis will create a `~/.dexter` directory locally containing your encrypted private key.\n\n### Revoking investigators\n\nThe command [`dexter investigator emergency-revoke`](doc/dexter_investigator_emergency-revoke.md) can be used to revoke an investigator.\n\n### Deploying the daemon\n\nThe command [`dexter daemon`](doc/dexter_daemon.md) is used to start a daemon.\n\nDexter daemon can be deployed either as a binary or as a docker container.  When deployed via docker, it is important to provide Dexter with access to the docker socket and osquery socket, if you intend on using those features.  The Dockerfile included in this repo is a good place to start, but will require the configuration file to be edited before building.\n\n### Creating an investigation\n\nThe command [`dexter investigation create`](doc/dexter_investigation_create.md) is used to create new investigations.\n\nRunning this command will enter into an interactive cli where an investigation can be configured, signed, and uploaded.\n\n### Listing investigations\n\nThe command [`dexter investigation list`](doc/dexter_investigation_list.md) is used to list all investigations stored in the Dexter bucket.\n\n```\n$ dexter investigation list\n+---------------+--------+-------------------------+------------------------+-----------+-------------+\n| INVESTIGATION | ISSUER |          TASKS          |         SCOPE          | CONSENSUS | REVIEWED BY |\n+---------------+--------+-------------------------+------------------------+-----------+-------------+\n| 1e8b73bb      | bob    | docker-filesystem-diff, | platform-is(\"linux\"),  | 1/1       | alice       |\n|               |        | osquery-collect         | user-exists(REDACTED)  |           |             |\n+---------------+--------+-------------------------+------------------------+-----------+-------------+\n```\n\n### Approving investigations\n\nThe command [`dexter investigation approve`](doc/dexter_investigation_approve.md) is used to preview and sign investigations that require consensus approval.\n\n```\n$ dexter investigation approve 1\nProvide your password to approve the following investigation:\n+------------------+--------------------------------+\n|      FIELD       |             VALUE              |\n+------------------+--------------------------------+\n| ID               | 1e8b73bb                       |\n| Issued By        | bob                            |\n| Tasks            | osquery-collect,               |\n|                  | docker-filesystem-diff         |\n| Scope            | platform-is(\"linux\"),          |\n|                  | user-exists(REDACTED)          |\n| Kill Containers? | false                          |\n| Kill Host?       | false                          |\n| Recipients       | alice, bob                     |\n| Approvers        |                                |\n+------------------+--------------------------------+\nPassword \u003e\n```\n\n### Archiving investigations\n\nThe command [`dexter investigation archive`](doc/dexter_investigation_archive.md) is used to rename old investigations so they are no longer visible.\n\nWhen this command is ran, all past investigations will be prefixed with an underscore and no longer visible in Dexter.  They are still available in the S3 bucket for audit purposes.\n\n### Listing reports\n\nThe command [`dexter report list`](doc/dexter_report_list.md) is used to print a table of reports.\n\n```\n$ dexter report list\n+---------------+--------+-------------------------+-----------------------+------------+----------------+\n| INVESTIGATION | ISSUER |          TASKS          |         SCOPE         | RECIPIENTS | HOSTS UPLOADED |\n+---------------+--------+-------------------------+-----------------------+------------+----------------+\n| 1e8b73bb      | bob    | docker-filesystem-diff, | platform-is(\"linux\"), | alice,     | 1              |\n|               |        | osquery-collect         | user-exists(REDACTED) | bob        |                |\n+---------------+--------+-------------------------+-----------------------+------------+----------------+\n```\n\n### Downloading reports\n\nThe command [`dexter report retrieve`](doc/dexter_report_retrieve.md) is used to download reports.\n\nThe encrypted report will be downloaded, and you will be prompted for your password.  Once provided, the report will be populated in a new directory.\n\nThe report format is:\n\n```\nDexterReport-\u003cID\u003e/\u003chostname\u003e/\u003ctaskname\u003e/...\n```\n\n### Archiving reports\n\nThe command [`dexter report archive`](doc/dexter_report_archive.md) is used to archive old reports.\n\nThe reports will be prefixed with an underscore and no longer visible in Dexter.  They will remain in the S3 bucket for audit purposes.\n\n## Development\n\n### Adding facts\n\nNew facts can be added very easily.  Make a copy of the [example fact](facts/example.go) and replace the contents as needed with your new fact.  Rebuild and re-deploy dexter, and your fact will be available for use.\n\n### Adding tasks\n\nNew tasks can be added just like new facts.  Make a copy of the [example task](tasks/example.go), replacing the content as needed, and redeploy.\n","funding_links":[],"categories":["Tools","Challenges","\u003ca id=\"ecb63dfb62722feb6d43a9506515b4e3\"\u003e\u003c/a\u003e新添加"],"sub_categories":["Frameworks"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoinbase%2Fdexter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcoinbase%2Fdexter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoinbase%2Fdexter/lists"}