• Stars
    star
    457
  • Rank 95,775 (Top 2 %)
  • Language
    JavaScript
  • License
    Apache License 2.0
  • Created over 6 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A desktop application that checks security-related settings and makes recommendations for improvements without requiring central device management or automated reporting.

DEPRECATED

Thank you for your interest in Stethoscope! This iteration of Stethoscope has been deprecated and is being left up for posterity. We pivoted away from this project in 2019 and developed a browser extension and native helper application that improve the overall usability and effectiveness of endpoint security and device discovery.

Thank you to all our internal and external contributors, we appreciate your work toward making security more usable!


Build status Apache 2.0 NetflixOSS Lifecycle Snyk Dependencies Current Version Current Release

The Stethoscope app is a desktop application created by Netflix that checks security-related settings and makes recommendations for improving the configuration of your computer, without requiring central device management or automated reporting.

Stethoscope app screenshot

Opening the app will run a quick check of your device configuration and present recommendations and instructions.

It does not automatically report device status to a central server, but can be configured to allow requests from particular web pages. This approach enables data collection and device-to-user mapping when people access certain web applications or go through integrated web authentication flows.

The Stethoscope app is built using Electron, kmd, and GraphQL.

For examples of data reporting via a web application (in Chrome or Firefox), see the stethoscope-examples repo.

If you're looking for the Stethoscope web application, that can be found at Netflix/stethoscope.

Quick Start

Run the app and GraphQL server (currently requires port 37370)

yarn install
yarn start

About the Stethoscope app

Philosophy

The Stethoscope app is a user-respecting, decentralized approach to promoting good security configurations for desktop and laptop computers.

Read only

The Stethoscope app reports on your device status and makes recommendations, but does not change any settings proactively. This makes it fundamentally safer than systems management tools that can automatically change settings or install files.

User visible

Instead of an invisible background agent, the Stethoscope app runs as a regular application, with a user interface. This gives us a way to provide instructions, and we believe that a visible application communicates a certain level of user trust and control–we’re not trying to trick anybody into running anything.

Low overhead

The Stethoscope app does not continuously monitor–it scans and reports when the app is run, or when the app is reporting via an allowed website. As a result, the application has essentially no impact on device performance.

Report when needed

Device information is never reported straight from the app to a central server. It is only collected when required by a requesting website. This approach is more privacy respecting, and is more appropriate for situations where people are using devices that aren’t issued by a corporate IT department.

Technical approach

The Stethoscope app uses kmd to to execute and parse output from bash, powershell, and bundled executables (e.g. bitlocker-status.exe) to obtain system information. Rather than running scheduled queries in the background, graphql queries trigger execution of relevant scripts.

The Electron app runs an express web server that is only accessible locally (127.0.0.1), not over the network. This web server presents a GraphQL api for device information and policy status.

Even though the server runs over HTTP, most browsers carve out an exception for mixed content from 127.0.0.1. Webkit (Safari) does not currently conform to the spec; however, there is an ongoing ticket requesting they address this.

Local device checks and instructions

The app is built with a default policy, which specifies recommended OS versions and security settings: disk encryption, screensaver password, no remote login, etc. When you open the app, it will run the bash/powershell device queries, evaluate the results against the policy, and show instructions for any recommended actions.

This will work as a standalone checklist, without needing to report any data to a central server. In fact, it doesn’t even require internet connectivity.

You can update the policy guidelines (OS versions, required settings, etc.) in src/practices/policy.yaml, and change the instructions in src/practices/instructions.en.yaml.

Queries from a website provide their own policy and policy variables.

Learn more about policies.

Data collection and reporting

Rather than automatically reporting to a central server, data from the Stethoscope app is requested in client side JavaScript from allowed web pages. The allowed sites are listed in practices/config.yaml, and is enforced via a CORS policy. This local web server is only accessible on the loopback interface, so other devices on the network cannot reach it.

This method works in Chrome and Firefox, which properly support allowing requests to http://127.0.0.1 even from https pages. If you need this reporting mechanism to work in unsupported browsers, browser extensions can broker the communication.

The Stethoscope app can also be launched from a web page using the stethoscope:// protocol handler.

GraphQL query and response examples

Local development

yarn start will run the Electron app, the GraphQL server, and a webpack dev server with the React UI, which allows for live reloading and a faster development cycle.

This requires port 12000 for webpack dev server, and port 37370 for the GraphQL server.

Building and deploying

The Stethoscope app uses electron-builder for packaging, code signing, and autoupdating, so you can follow their configuration instructions.

Examples for building, signing, and publishing builds

Contributing

We’re specifically looking for comments and ideas regarding:

  • Use cases for your organization
  • Integration opportunities
  • Reporting formats and/or standards

Contact

You can reach the Stethoscope development team at [email protected] and via our Gitter.

More Repositories

1

Scumblr

Web framework that allows performing periodic syncs of data sources and performing analysis on the identified results
Ruby
2,643
star
2

stethoscope

Personalized, user-focused recommendations for employee information security.
Python
2,002
star
3

sleepy-puppy

Sleepy Puppy XSS Payload Management Framework
JavaScript
1,029
star
4

sketchy

A task based API for taking screenshots and scraping text from websites.
JavaScript
996
star
5

diffy

â›” (DEPRECATED) Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.
Python
632
star
6

riskquant

Python
609
star
7

aardvark

Aardvark is a multi-account AWS IAM Access Advisor API
Python
470
star
8

policyuniverse

Parse and Process AWS IAM Policies, Statements, ARNs, and wildcards.
Python
421
star
9

zerotodocker

Dockerfiles to be used to create Dockerhub trusted builds of NetflixOSS
Python
407
star
10

rewrite

Distributed code search and refactoring for Java
Java
291
star
11

gcviz

Garbage Collector Visualization Tool/Framework
Python
266
star
12

repulsive-grizzly

Application Layer DoS Testing Framework
Python
244
star
13

hystrix-dashboard

JavaScript
233
star
14

jvmquake

A JVMTI agent that attaches to your JVM and kills it when things go sideways
Python
154
star
15

zerotocloud

Scripts and instructions for Zero To Cloud With NetflixOSS
Groovy
147
star
16

bpftoolkit

Shell
128
star
17

aws-credential-compromise-detection

Example detection of compromise credentials in AWS
Python
118
star
18

WSPerfLab

Project for testing web-service implementations.
Java
116
star
19

UnrealValidationFramework

C++
111
star
20

cloudy-kraken

AWS Red Team Orchestration Framework
Python
102
star
21

historical

A serverless, event-driven AWS configuration collection service with configuration versioning.
Python
93
star
22

jenkins-cli

Simple Jenkins Command Line Interface
Perl
91
star
23

swag-client

Cloud multi-account metadata management tool.
Python
87
star
24

cloudtrail-anomaly

Python
82
star
25

cloudaux

Cloud Auxiliary is a python wrapper and orchestration module for interacting with cloud providers
Python
76
star
26

aws-metadata-proxy

AWS Metadata Proxy for protection against SSRF
Go
69
star
27

service-capacity-modeling

Python
61
star
28

titus-isolate

Python
55
star
29

skunky

Marking instances dirty since 2018
Python
47
star
30

raven-python-lambda

Sentry/Raven SDK Integration For AWS Lambda (python) and Serverless
Python
47
star
31

dynaslave-plugin

Jenkins DynaSlave plugin
Java
46
star
32

s3-flash-bootloader

A tool for flashing OS images onto stateful servers
Shell
45
star
33

rl_for_budget_constrained_recs

Jupyter Notebook
41
star
34

logstash-configs

Logstash Configs used by Netflix
31
star
35

spectatord

A high performance metrics daemon
C++
25
star
36

framerate-utils

Useful conversion utilities for working with video frame rate and display
TypeScript
17
star
37

qiro

The Qiro Project
Java
17
star
38

listening-test-app

C++
16
star
39

iep-apps

Example apps using Netflix Insight libraries from the Spectator, Atlas, and IEP projects.
Scala
15
star
40

zerotocloud-gradle

Gradle Plugin to Initialize the Cloud Environment and Utilize it for Continuous Delivery Purposes
Groovy
15
star
41

stethoscope-examples

Example Express application for collecting data from the Stethoscope app
HTML
14
star
42

bucketsnake

An AWS lambda function that grantsss S3 permissionsss at ssscale.
Python
14
star
43

causaltransportr

R package to generalize and transport causal effects.
R
12
star
44

Numerus

Counters, Percentiles, etc for in-memory metrics capture.
Java
12
star
45

mesos-on-pi

Shell
12
star
46

nfflink-connector-iceberg

Java
11
star
47

swag-api

REST API and UI for SWAG data
Python
10
star
48

repokid-extras

Python
10
star
49

raven-sqs-proxy

A Raven/Sentry SQS message proxy forwarder
Python
10
star
50

atlas-node-client

C++
10
star
51

post2crucible

Crucible code review uploader client
Java
8
star
52

StethoscopeMobile

JavaScript
8
star
53

netflixoss-dsl-seed

DSL Scripts to create build jobs for @NetflixOSS projects
Groovy
7
star
54

grails-jade

Grails plugin for rendering Jade templates with the spring-jade4j library
Groovy
6
star
55

spectator-js-nodejsmetrics

Generate node.js internal metrics using the nflx-spectator node module
JavaScript
6
star
56

historical-reports

Lambda functions to generate report artifacts from Historical
Python
6
star
57

cligraphy

Python
5
star
58

atlas-system-agent

Agent that reports system metrics through SpectatorD.
C++
5
star
59

node-pagerduty-netflix

pagerduty REST API interface in node.js
JavaScript
5
star
60

swag-functions

Lambda functions for SWAG management
Python
4
star
61

ng-nflx

Miscellaneous utilities for AngularJS
JavaScript
4
star
62

grails-context-param

Grails plugin to automatically add parameters specified as @ContextParam on a controller to redirect calls.
Groovy
4
star
63

hive2iceberg-migration

Scala
3
star
64

ec2blockdevcfg

Tools and configuration for Amazon EC2 NVMe block devices
Python
2
star
65

kmd

JavaScript
2
star
66

atlas-native-client

C++
2
star
67

qiro-logo

Code for generating the qiro logo
Java
2
star
68

corepipe

Rust
2
star
69

flagpole

Flag arg parser to build out a dictionary with optional keys.
Python
1
star
70

scumblr-spillguard

Python
1
star
71

adversarial_approach_to_recommender_systems

Python
1
star