{"id":19481842,"url":"https://github.com/fossable/sandpolis","last_synced_at":"2025-04-06T00:07:06.916Z","repository":{"id":37940552,"uuid":"100069523","full_name":"fossable/sandpolis","owner":"fossable","description":"Virtual estate monitoring \u0026 management!","archived":false,"fork":false,"pushed_at":"2025-03-24T19:43:33.000Z","size":17034,"stargazers_count":53,"open_issues_count":5,"forks_count":8,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-29T23:07:36.726Z","etag":null,"topics":["administration","automation","cloud-native","cross-platform","devops","free-software","monitoring","remote","rmm"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fossable.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-08-11T20:55:30.000Z","updated_at":"2025-03-17T03:46:07.000Z","dependencies_parsed_at":"2024-06-21T19:12:24.056Z","dependency_job_id":"f332637b-d271-4066-a7c4-83f6e105ea27","html_url":"https://github.com/fossable/sandpolis","commit_stats":{"total_commits":1104,"total_committers":4,"mean_commits":276.0,"dds":0.1530797101449275,"last_synced_commit":"f5ed52f1af6e5b2b48cfdae81b335918d56b9020"},"previous_names":["subterranean-security/sandpolis"],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fossable%2Fsandpolis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fossable%2Fsandpolis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fossable%2Fsandpolis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fossable%2Fsandpolis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fossable","download_url":"https://codeload.github.com/fossable/sandpolis/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247415967,"owners_count":20935388,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["administration","automation","cloud-native","cross-platform","devops","free-software","monitoring","remote","rmm"],"created_at":"2024-11-10T20:06:48.013Z","updated_at":"2025-04-06T00:07:06.892Z","avatar_url":"https://github.com/fossable.png","language":"Rust","readme":"\u003cp align=\"center\"\u003e\n\t\u003cimg src=\"https://raw.githubusercontent.com/fossable/sandpolis/master/.github/images/sandpolis-256.png\" /\u003e\n\u003c/p\u003e\n\n![License](https://img.shields.io/github/license/fossable/sandpolis)\n![GitHub repo size](https://img.shields.io/github/repo-size/fossable/sandpolis)\n![Stars](https://img.shields.io/github/stars/fossable/sandpolis?style=social)\n\n\u003chr\u003e\n\n`sandpolis` is a **virtual estate monitoring/management tool** (VEM²) under\nactive development.\n\n\u003cp align=\"center\"\u003e\n\t\u003cimg src=\"https://raw.githubusercontent.com/fossable/sandpolis/master/.github/images/overview.png\" /\u003e\n\u003c/p\u003e\n\n## Virtual estate\n\nVirtual/digital estate is an all-encompassing term that generally refers to all\nof the (non-physical) assets in your possession. Some of them may be entirely\nvirtual, like accounts on _github.com_. Others have a physical component as\nwell, like a server in your closet, Raspberry Pi, or laptop.\n\nAll of these entities are part of your _virtual estate_ and are often\nintricately connected in various ways. As an example, you might have an SSH key\nor API token on your machine that grants access to repositories (a kind of\ndigital asset) on Github. And suppose your machine also has an authorized key\ninstalled that allows access from another machine:\n\n```\n┌──────────┐  SSH Key  ┌──────────┐  API Token  ┌───────────────────┐\n│Machine A ┼───────────►Machine B ┼─────────────► Github            │\n└──────────┘           └──────────┘             │                   │\n                                                │  - Private repos  │\n                                                └───────────────────┘\n```\n\nIf you care about those repos, then Sandpolis can map out an attack surface that\nincludes both `Machine A` and `Machine B`. If `Machine A` happens to have a weak\npassword or one that's shared with another website, then the attack surface is\nconsequently expanded with appropriate probabilities.\n\nMapping these relationships automatically is possible because Sandpolis runs an\nagent on `Machine A` and `Machine B` (and has API access to Github).\n\n## Security Warning\n\nSandpolis is an extremely high-value attack target as it provides management\naccess to your virtual estate. To compensate, strong security measures are\navailable:\n\n- All connections to a server use mTLS and require a valid client certificate.\n  The server automatically rotates these certificates periodically, but the\n  initial certificate must be installed out-of-band.\n\n- Users can be required to login with two-factor authentication codes.\n\n- User permissions restrict what users are able to do and on what instances.\n\nEven with several layers of strong authentication, there's always risk that the\nSandpolis server can be compromised. If the risks of introducing a \"single point\nof compromise\" outweigh the convenience of having a unified management\ninterface, then **don't use Sandpolis**.\n\nYou can choose how much trust you allocate to the Sandpolis network. For\nexample, agents can optionally run in _read only_ mode which still provides\nuseful monitoring information, but prohibits all write operations (including\nagent updates). This can significantly mitigate potential damage in the event of\nserver compromise.\n\n## Layers\n\nFeatures are organized into _layers_ that can be toggled on/off in the UI. If\nyou build Sandpolis from source, it's also easy to pick and choose what layers\nare included:\n\n```sh\n# Build the Sandpolis server with remote desktop capabilities ONLY\ncargo build --no-default-features --features server --features layer-desktop\n```\n\n### Account\n\nModels online/offline accounts and their relationships to agent instances.\nEnables higher-order analysis of virtual estate like attack surface mapping and\ncompromise tracing.\n\n### Alert\n\nTriggers user notifications when certain events are detected in the Sandpolis\nnetwork. For example, if a user's status is currently _AWAY_, an unexpected SSH\nlogin from that user (anywhere in the network) will fire an urgent alert.\n\n### Desktop\n\nProvides access to remote desktop capabilities.\n\n### Filesystem\n\nProvides read/write access to agent filesystems. The Sandpolis client can also\nmount an agent's filesystem.\n\n### Logging\n\n### Package\n\nIntegrates with package managers to monitor package versions.\n\n### Probe\n\nProbes are managable from the Sandpolis network, but don't run agent software.\nInstead, a remote Sandpolis agent instance connects to probes over a standard\nprotocol like SSH, SNMP, Docker, etc.\n\nYou can interact with probes almost as if they were regular agents (as long as\nthe gateway instance remains online).\n\n### Shell\n\nProvides an interactive remote shell.\n\n### Tunnel\n\n### User\n\n## Installation\n\n\u003cdetails\u003e\n\u003csummary\u003eCrates.io\u003c/summary\u003e\n\n![Crates.io Total Downloads](https://img.shields.io/crates/d/sandpolis)\n\n#### Install from crates.io\n\n```sh\ncargo install sandpolis\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eDocker\u003c/summary\u003e\n\n#### Install server from DockerHub\n\n![Docker Pulls](https://img.shields.io/docker/pulls/sandpolis/server)\n![Docker Image Size](https://img.shields.io/docker/image-size/sandpolis/server)\n![Docker Stars](https://img.shields.io/docker/stars/sandpolis/server)\n\n```yml\n# Docker compose\nservices:\n\tsandpolis-server:\n\t\timage: sandpolis/server\n\t\trestart: unless-stopped\n```\n\n#### Install client from DockerHub\n\n![Docker Pulls](https://img.shields.io/docker/pulls/sandpolis/client)\n![Docker Image Size](https://img.shields.io/docker/image-size/sandpolis/client)\n![Docker Stars](https://img.shields.io/docker/stars/sandpolis/client)\n\n```sh\nalias sandpolis-client=\"docker run --rm sandpolis/client\"\n```\n\n\u003c/details\u003e\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffossable%2Fsandpolis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffossable%2Fsandpolis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffossable%2Fsandpolis/lists"}