- Shell 100%
| generate-security-reports.sh | ||
| glassbox-monitor.sh | ||
| inspect-shell | ||
| LICENSE | ||
| README.md | ||
| sshd_config | ||
| usr.local.bin.inspect-shell | ||
GlassBox
Open source transparency shell for Linux servers.
Glass Box is a public verification system that proves a server has nothing to hide. Anyone with access can SSH into a hardened read-only shell and inspect live server configuration: firewall rules, running services, DNS, WireGuard status, file integrity reports, and more.
Built by Open Source Security Inc.
What It Does
Glass Box gives reviewers a restricted SSH shell (called the "verify shell") that allows read-only inspection of a live server. The shell whitelists 16 commands and blocks everything else. All sessions are logged and the server owner is alerted on every connection.
The goal: replace "trust us" with "verify it yourself."
Security Model
Glass Box uses 9 layers of defense:
- inspect-shell command whitelist - 16 allowed commands only
- inspect-shell injection filter - blocks shell operators and command substitution
- inspect-shell protected path filter - blocks access to sensitive files
- Chroot jail - verify user is jailed to a minimal filesystem. Sensitive files do not exist inside the jail.
- AppArmor (enforce mode) - explicit deny rules on protected files, no network access
- sshd ForceCommand - every SSH session is forced into inspect-shell
- sshd ChrootDirectory - jail enforced at the SSH daemon level
- UFW firewall - SSH only accessible via WireGuard tunnel
- File permissions - protected files are 600 root:root
Files in This Repo
| File | Server Path | Purpose |
|---|---|---|
| inspect-shell | /usr/local/bin/inspect-shell | The verify shell script |
| usr.local.bin.inspect-shell | /etc/apparmor.d/usr.local.bin.inspect-shell | AppArmor profile |
| glassbox-monitor.sh | /opt/glassbox-scripts/glassbox-monitor.sh | External session alert service |
| generate-security-reports.sh | /opt/glassbox-scripts/generate-security-reports.sh | Weekly security report generator |
| sshd_config | /etc/ssh/sshd_config | SSH daemon configuration |
Allowed Commands in the Verify Shell
ls [path] Directory listing
cat [file] File contents
head [file] First lines of file
tail [file] Last lines of file
grep [pattern] [file] Search file contents
wc [file] Word/line count
uptime System uptime
df -h Disk usage
free -h Memory usage
wg show WireGuard status
systemctl status [service] Service status
iptables -L Firewall rules
ipset list IP blocklist contents
uname -a Kernel version
help Show this help
exit / quit / q End session
Bug Bounty
Glass Box runs a $1,000 USD bounty challenge. Three files are protected on the server. Read any one of them through the verify shell and you win.
To request reviewer access, email glassbox@opensourcesecurity.net with the subject "Glass Box reviewer access."
Red Team Status
Glass Box has been through multiple rounds of red team testing:
- Attack 1: Skip found a /proc/thread-self filter bypass. Patched. Chroot held, no bounty files reached.
- Attack 2: Tux found a meta.json AIDE reporting bug. Patched. All SSH bypass vectors (sftp, ForceCommand, TCP tunneling) tested and confirmed blocked.
- Attack 3: Skip found a Hex-Encoded Grep Filter Bypass (CONFIRMED & PATCHED). No bounty reached, Chroot held.
Requirements
- Ubuntu 24.04 LTS (tested)
- WireGuard
- OpenSSH
- AppArmor
- Bash
Optional (for security reporting): AIDE, Lynis, rkhunter
Philosophy
"No one should ever ask for your trust. Trust is lazy and insecure."
Glass Box exists because VPN providers, hosting companies, and infrastructure operators should not ask customers to trust them. They should prove they have nothing to hide. Glass Box makes that proof possible.
License
Open source. BSD-2 Licensed.
Links
- Live instance: glassbox.oss-ops.net
- Security reports: glassbox.oss-ops.net/verify/
- Company: opensourcesecurity.net