|
1 | | - |
2 | | -# gitMDM: The MDM that isn't a giant security hole |
| 1 | +# gitMDM: The MDM that isn't |
3 | 2 |
|
4 | 3 |  |
5 | 4 |
|
6 | | -⚠️ **HIGHLY EXPERIMENTAL - IT MAY EAT YOUR CAT ** ⚠️ |
7 | | - |
8 | | -## What Is This Thing? |
9 | | - |
10 | | -gitMDM is what happens when you need to pass a SOC 2 audit but refuse to sell your soul to the MDM industrial complex. It's a Mobile Device Management solution that stores everything in Git because, apparently, Git is the hammer and everything looks like a nail. |
| 5 | +⚠️ **HIGHLY EXPERIMENTAL - MAY EAT YOUR CAT** ⚠️ |
11 | 6 |
|
12 | | -## Why Does This Exist? |
| 7 | +## What |
13 | 8 |
|
14 | | -Because I needed to prove my devices were "compliant" for SOC 2, but I'll be damned if I'm going to: |
15 | | -- Install some bloated enterprise MDM that phones home every 5 seconds |
16 | | -- Give some cloud service root access to my machines |
17 | | -- Sacrifice my freedom of choice on the altar of compliance theater - if I want to run OpenBSD, I should be able to. |
18 | | -- Trust my device security to a system that's one CVE away from being everyone's backdoor |
| 9 | +A "Mobile Device Management" solution that stores compliance checks in Git. Built to pass SOC 2 audits without installing actual MDM spyware. |
19 | 10 |
|
20 | | -So I built this instead. It checks boxes. Literally. For auditors. |
| 11 | +## Why |
21 | 12 |
|
22 | | -## Design Philosophy: Paranoia as a Service |
| 13 | +Because real MDMs are backdoors with compliance features. This just generates the reports auditors want without the ability to actually control your devices. |
23 | 14 |
|
24 | | -- **No Remote Control**: This MDM can't actually manage your devices. It just tattles on them. To Git. |
25 | | -- **No Backdoors**: The server can't execute commands on agents, or itself. |
26 | | -- **No Cloud**: Your compliance data lives in a Git repo you control, not in someone else's computer. You can run it in the Cloud, though. |
27 | | -- **No Privileges**: The agent runs with minimal permissions and couldn't compromise your system if it tried (which it won't, because it can't) |
28 | | -- **No Dependencies**: Well, except for Git. And Go. And YAML. But who's counting? |
29 | | -- **No Support**: You're on your own, friend. I built this for me. |
| 15 | +## Philosophy |
30 | 16 |
|
31 | | -## How It "Works" |
| 17 | +- **Can't manage devices** - Only reports on them |
| 18 | +- **Can't execute commands** - Read-only by design |
| 19 | +- **Can't phone home** - Your Git repo, your control |
| 20 | +- **Can't compromise systems** - No privileges, no access |
32 | 21 |
|
33 | | -1. **Agent**: A tiny Go binary runs on your devices, executes read-only compliance checks, and sends reports to... |
34 | | -2. **Server**: Another tiny Go binary that receives reports and commits them to... |
35 | | -3. **Git**: Because if you're going to store compliance data somewhere, it might as well have version control |
| 22 | +## Architecture |
36 | 23 |
|
37 | 24 | ``` |
38 | | -Your Device → Agent → Server → Git → Auditor's Spreadsheet → ✅ SOC 2 Compliant! |
| 25 | +Device → Agent (reads) → Server (receives) → Git (stores) → Auditor ✅ |
39 | 26 | ``` |
40 | 27 |
|
41 | 28 | ## Features |
42 | 29 |
|
43 | | -- ✅ Proves your disk is encrypted (without being able to decrypt it) |
44 | | -- ✅ Shows your firewall is on (without being able to turn it off) |
45 | | -- ✅ Lists your users (without being able to delete them) |
46 | | -- ✅ Reports installed updates (without being able to install them) |
47 | | -- ✅ Demonstrates screensaver locks (without locking you out) |
48 | | -- ✅ Makes auditors happy (without making you sad) |
49 | | -- ✅ Supports pretty much any operating-system, from macOS to Linux to OpenBSD. |
| 30 | +Proves compliance without control: |
| 31 | +- Disk encryption status |
| 32 | +- Firewall configuration |
| 33 | +- User accounts |
| 34 | +- System updates |
| 35 | +- Screensaver locks |
50 | 36 |
|
51 | | -## Security Through Inability |
52 | | - |
53 | | -Traditional MDMs are like giving someone the keys to your house so they can check if you locked the door. gitMDM is like having someone take a photo of your locked door from across the street. Sure, they can't verify the windows are locked, but they also can't break in. |
| 37 | +## Platform Support |
54 | 38 |
|
55 | | -**Core Security Principles:** |
56 | | -- **Read-Only**: Agents can look but can't touch |
57 | | -- **One-Way Communication**: Agents report to server, server can't command agents |
58 | | -- **Git-Based Audit Trail**: Every change is tracked, signed, and immutable |
59 | | -- **Minimal Attack Surface**: ~1000 lines of Go and one YAML dependency |
60 | | -- **Defense in Depth**: Even if compromised, the server can't compromise endpoints |
| 39 | +Linux, macOS, FreeBSD, OpenBSD, NetBSD, DragonFlyBSD, Solaris, illumos, Windows 11 |
61 | 40 |
|
62 | 41 | ## Installation |
63 | 42 |
|
64 | 43 | ```bash |
65 | | -# Clone it |
66 | | -git clone https://github.com/you/gitMDM.git |
67 | | - |
68 | | -# Build it |
| 44 | +# Build |
69 | 45 | make build |
70 | 46 |
|
71 | | -# Run it (server) - pick your storage poison: |
72 | | - |
73 | | -# Option 1: Clone a remote/local repo to temp directory (will push/pull) |
74 | | -./gitmdm-server -git https://github.com/you/compliance-data.git -port 8080 |
75 | | - |
76 | | -# Option 2: Use an existing local git clone (will push/pull if remote configured) |
77 | | -./gitmdm-server -clone /path/to/your/compliance-repo -port 8080 |
| 47 | +# Server (pick one) |
| 48 | +./gitmdm-server -git https://github.com/you/compliance.git # Clone & push |
| 49 | +./gitmdm-server -clone /path/to/repo # Use existing |
78 | 50 |
|
79 | | -# Deploy it (agent) |
| 51 | +# Agent |
80 | 52 | ./gitmdm-agent -server http://your-server:8080 |
81 | 53 |
|
82 | | -# Forget about it |
| 54 | +# Deploy |
83 | 55 | echo "gitmdm-agent -server http://your-server:8080" | crontab - |
84 | 56 | ``` |
85 | 57 |
|
86 | | -### Git Storage Options |
87 | | - |
88 | | -The server needs somewhere to store your compliance data. You have options: |
89 | | - |
90 | | -**`-git <url>`** - Clones a repository to a temporary directory |
91 | | -- Works with GitHub/GitLab/Bitbucket: `https://github.com/user/repo.git` |
92 | | -- Works with local repos: `/path/to/repo.git` or `../my-repo` |
93 | | -- Will push/pull changes with the remote |
94 | | -- Fresh clone each time the server starts |
95 | | - |
96 | | -**`-clone <path>`** - Uses an existing local git clone |
97 | | -- Works directly in your existing repository |
98 | | -- Will push/pull if the clone has a remote configured |
99 | | -- Useful for testing or when you need specific git configurations |
100 | | -- No temp directory shenanigans |
101 | | - |
102 | | -### GitHub Authentication (Because Security Theater Needs Credentials) |
103 | | - |
104 | | -If you're using GitHub for your compliance data: |
| 58 | +## GitHub Auth |
105 | 59 |
|
106 | 60 | ```bash |
107 | | -# Option 1: GitHub CLI (easiest) |
108 | | -gh auth setup-git |
109 | | - |
110 | | -# Option 2: SSH keys (most reliable) |
111 | | -# Add your SSH key to GitHub, then: |
112 | | -./gitmdm-server -git [email protected]:you/compliance-data.git |
| 61 | +# Use SSH (recommended) |
| 62 | +./gitmdm-server -git [email protected]:you/compliance.git |
113 | 63 |
|
114 | | -# Option 3: Personal Access Token (for HTTPS) |
115 | | -# Create a PAT on GitHub, then: |
116 | | -./gitmdm-server -git https:// [email protected]/you/compliance-data.git |
| 64 | +# Or GitHub CLI |
| 65 | +gh auth setup-git |
117 | 66 | ``` |
118 | 67 |
|
119 | | -**Pro tip**: Don't commit your tokens. Use SSH keys like a civilized person. |
120 | | - |
121 | 68 | ## Configuration |
122 | 69 |
|
123 | | -Edit `checks.yaml` to define what compliance theater you want to perform. The default checks should satisfy most auditors who've never actually used a computer. |
| 70 | +Edit `checks.yaml` to define compliance checks. Default config satisfies most auditors. |
124 | 71 |
|
125 | | -## Platform Support |
| 72 | +## Security |
126 | 73 |
|
127 | | -- macOS: Where I live |
128 | | -- Linux: Where servers live |
129 | | -- OpenBSD: Where the paranoid live |
130 | | -- FreeBSD: Where the... uh... FreeBSD people live |
131 | | -- Windows: LOL no |
| 74 | +Traditional MDMs: Give someone your house keys to check if the door is locked. |
| 75 | +gitMDM: Someone photographs your locked door from across the street. |
132 | 76 |
|
133 | | -## Known Issues |
| 77 | +**Result**: Compliance without compromise. |
134 | 78 |
|
135 | | -- May not actually eat your cat, but no promises |
136 | | -- Definitely won't manage your mobile devices despite the name |
137 | | -- Auditors might ask "is this really an MDM?" (Answer: "It's better, it's *compliant*") |
138 | | -- You might be the second user, which would break our metrics |
| 79 | +**Note**: The server accepts reports without authentication by default. While this means anyone could submit false compliance data, they still can't access or control your actual devices. Enable API key authentication (`-api-key`) or use network-level controls if you need to verify report sources. |
139 | 80 |
|
140 | 81 | ## Disclaimer |
141 | 82 |
|
142 | | -This software is provided "as is" without warranty of any kind. It probably won't eat your cat, compromise your devices, or make you fail your audit. But if it does, you can keep both pieces. |
143 | | - |
144 | | -**Remember**: The 'M' in MDM stands for 'Minimal' (in this case). |
| 83 | +This software proves compliance. It doesn't actually manage devices. That's the point. |
145 | 84 |
|
146 | 85 | --- |
147 | 86 |
|
148 | | -*Built with ❤️ and spite by someone who just wanted to pass an audit with their OpenBSD laptop.* |
| 87 | +*Built with spite by someone who wanted to pass SOC 2 with OpenBSD.* |
0 commit comments