diff --git a/.assets/lisplogo_128.png b/.assets/lisplogo_128.png new file mode 100644 index 0000000..c205b6d Binary files /dev/null and b/.assets/lisplogo_128.png differ diff --git a/README.org b/README.org index 7a669d3..f791afe 100644 --- a/README.org +++ b/README.org @@ -12,10 +12,14 @@ and an easy-to-use command-line interface. * Features - [X] Edit systemd files from the command-line - [X] =-b= backup flag to save .systemd files into LOCATION. -- [ ] =-s= security flag to apply quick configurations +- [X] =-s= security flag to apply quick configurations +- [ ] =-S= security flag for extreme security. +- [ ] =-n= security flag to block network reconfig - [ ] Default configurations for common services - [ ] Automatic Apache and Nginx =READWRITEPATHS= detection +[[file:.assets/lisplogo_128.png][Lisp logo]] + * Building The makefile is set up for steel bank common lisp, but it should be trivial to use another implementation that loads =asdf=. As of [2023-12-20] I have not knowingly used any sbcl-specific features. diff --git a/lib/preconfigs.lisp b/lib/preconfigs.lisp new file mode 100644 index 0000000..770c8d4 --- /dev/null +++ b/lib/preconfigs.lisp @@ -0,0 +1,13 @@ + + ; This file will contain prebaked settings designed to be dropped in. + +(in-package :sst-drop-ins) +(defparameter *security-drop-ins* + '("ProtectSystem=full" + "InaccessiblePaths=/etc/shadow" + "ProtectKernelLogs=true" + "ProtectKernelModules=true" + "ProtectKernelTunables=true" + "LockPersonality=true" + "ProtectControlGroups=true" + )) diff --git a/packages.lisp b/packages.lisp index 7e98a72..99db4a4 100644 --- a/packages.lisp +++ b/packages.lisp @@ -21,3 +21,7 @@ (defpackage :sst-edit (:use :common-lisp) (:export :add-settings)) + +(defpackage :sst-drop-ins + (:use :common-lisp) + (:export :*security-drop-ins*)) diff --git a/src/main.lisp b/src/main.lisp index e8fb89e..e0718c6 100644 --- a/src/main.lisp +++ b/src/main.lisp @@ -20,6 +20,8 @@ (uiop:copy-file file (merge-pathnames backup))) ;; Apply the settings to the file. (let ((settings-table (systemd-parse:read-service file))) + (if secure + (sst-edit:add-settings sst-drop-ins:*security-drop-ins* settings-table)) (sst-edit:add-settings direct-settings settings-table) ; Inject all the settings options required (systemd-parse:write-service file settings-table))) diff --git a/sst.asd b/sst.asd index 7cc2e1a..82338ec 100644 --- a/sst.asd +++ b/sst.asd @@ -23,7 +23,10 @@ (:file "ui") (:file "edit") (:file "main") - ))) + )) + (:module "lib" + :serial t + :components ((:file "preconfigs")))) :author "Judah Sotomayor " :maintainer "Judah Sotomayor " :license "GPLv3" diff --git a/test/test.service b/test/test.service index 0022703..87af863 100644 --- a/test/test.service +++ b/test/test.service @@ -12,12 +12,18 @@ Type=notify Sockets=dbus.socket OOMScoreAdjust=-900 LimitNOFILE=16384 -ProtectSystem=full +ProtectSystem=strict PrivateTmp=false PrivateDevices=true ExecStart=/usr/bin/dbus-broker-launch --scope system --audit ExecReload=/usr/bin/busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig NewBinding=Yes +InaccessiblePaths=/etc/shadow +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +LockPersonality=true +ProtectControlGroups=true [Install] Alias=dbus.service