SansShell

A non-interactive daemon for host management using gRPC for remote interactions and policy enforcement through Open Policy Agent (OPA).

Multi-Cloud Open Source Self Hosted Only
Category Identity & Access Management
GitHub Stars 103
Last Commit last week
This page updated 6 days ago
Pricing Details Open Source - Free to use and customize, no specific pricing tiers.
Target Audience System Administrators, DevOps Engineers, Security Professionals

Technical Details

Core Capabilities and Implementation Mechanisms

  • SansShell is a non-interactive daemon designed for host management, utilizing gRPC for remote interactions. It includes a server, proxy, and CLI client components.
  • The tool supports various services such as file operations, exec commands, health checks, network actions, package management, and more, each defined through RPC interfaces.
  • It integrates with Open Policy Agent (OPA) for policy enforcement, allowing for fine-grained control over the actions performed on the hosts.

Deployment Architecture and Requirements

  • Server and Proxy: The SansShell server and proxy can be run separately or together. The server handles direct connections, while the proxy can route requests to multiple targets.
  • Certificates: Mutual TLS (mTLS) is used for secure communication. Certificates need to be set up in the ~/.sansshell directory before running the server or proxy.
  • Environment Setup: The environment requires a recent version of Go, the protocol buffer compiler (protoc), and specific Go and gRPC plugins.
  • Tools and Dependencies: Additional tools like grpc_cli are used for debugging and testing.

Integration Points and APIs

  • gRPC Services: SansShell uses gRPC for its RPC interface, allowing various services to be registered and accessed. This includes services for file operations, exec commands, health checks, and more.
  • OPA Integration: Policies can be enforced using OPA, which integrates with the SansShell services to control what actions can be performed on the hosts.
  • CLI Client: The CLI client provides raw access to each gRPC endpoint and allows for custom commands to be implemented.

Key Technical Features and Limitations

  • Service Variety: Supports a wide range of services including file management, execution of commands, health checks, network actions, and more.
  • Policy Enforcement: Integrates with OPA for policy enforcement, ensuring that only authorized actions are executed.
  • Debugging Tools: Includes tools like grpc_cli for debugging and testing the gRPC services.
  • Limitations: Requires specific setup and configuration, including mTLS certificates and Go environment. The complexity of setting up and customizing the services might be a barrier for some users.

Security Controls and Mechanisms

  • mTLS: Uses mutual TLS for secure communication between the client and server/proxy.
  • OPA Policies: Enforces policies using OPA to ensure that only authorized actions are performed on the hosts.
  • Access Control: The use of gRPC and OPA policies allows for fine-grained access control over the services and actions available.

ISO 27001:2022 Relevance

Implementing Specific ISO Controls

  • Access Control: SansShell's integration with OPA helps in implementing access control policies, aligning with ISO 27001 controls related to access management (e.g., A.9.1.1).
  • Audit and Compliance: The tool can provide logs and audit trails of actions performed, which can be used as evidence for compliance audits.

Evidence/Artifacts for Audits

  • Logs and Audit Trails: SansShell can generate logs of all actions performed, which can serve as evidence during audits.
  • Policy Compliance: The OPA policies enforced by SansShell can be documented and reviewed to ensure compliance with ISO 27001 controls.

Integration Considerations for Compliance

  • Policy Management: Ensure that OPA policies are regularly reviewed and updated to align with the organization's security policies and ISO 27001 requirements.
  • Audit and Monitoring: Regularly monitor and audit the logs generated by SansShell to ensure compliance and detect any unauthorized activities.

Monitoring and Measurement Capabilities

  • Logging: SansShell generates logs that can be monitored to track all actions performed on the hosts.
  • Health Checks: The tool includes health check services that can be used to monitor the status of the hosts.

Required Skills and Training Considerations

  • Go and gRPC: Users need to have a good understanding of Go and gRPC to set up and customize SansShell.
  • OPA: Knowledge of OPA and policy management is necessary to effectively use the policy enforcement features.

Pricing & Deployment

Available Pricing Tiers and Models

  • Open Source: SansShell is an open-source project, which means it is free to use and customize. There are no specific pricing tiers or models mentioned.

Free/Community vs Enterprise Features

  • Since SansShell is open-source, all features are available for free. There are no enterprise-specific features or pricing models.

Deployment Options and Requirements

  • Local Deployment: Can be deployed locally on a machine by building and running the server, proxy, and CLI client components.
  • Environment Requirements: Requires a Go environment, protoc, and specific plugins to be installed.

Support and Maintenance Details

  • Community Support: Support is primarily through the community and the project's GitHub repository. There are no commercial support options mentioned.
  • Maintenance: Maintenance and updates are handled through the open-source community contributions and releases on GitHub.
Back Visit Website

Improve this page