feat[lib,readme] Added -s flag

Added -s security flag. Added image to readme
2023-12-20 13:06:27 -05:00 · 2023-12-20 13:06:27 -05:00 · 31b4a31d60
commit 31b4a31d60
parent 99aa9bb433
7 changed files with 35 additions and 3 deletions
--- a/.assets/lisplogo_128.png
+++ b/.assets/lisplogo_128.png
--- a/README.org
+++ b/README.org
@ -12,10 +12,14 @@ and an easy-to-use command-line interface.
 * Features
 - [X] Edit systemd files from the command-line
 - [X] =-b= backup flag to save .systemd files into LOCATION.
- [ ] =-s= security flag to apply quick configurations
+- [X] =-s= security flag to apply quick configurations
 - [ ] =-S= security flag for extreme security.
 - [ ] =-n= security flag to block network reconfig
 - [ ] Default configurations for common services
 - [ ] Automatic Apache and Nginx =READWRITEPATHS= detection
 [[file:.assets/lisplogo_128.png][Lisp logo]]
 * Building
 The makefile is set up for steel bank common lisp, but it should be trivial to use another implementation that loads =asdf=.
 As of [2023-12-20] I have not knowingly used any sbcl-specific features.
--- a/lib/preconfigs.lisp
+++ b/lib/preconfigs.lisp
@ -0,0 +1,13 @@
                                        ; This file will contain prebaked settings designed to be dropped in.
 (in-package :sst-drop-ins)
 (defparameter *security-drop-ins*
  '("ProtectSystem=full"
    "InaccessiblePaths=/etc/shadow"
    "ProtectKernelLogs=true"
    "ProtectKernelModules=true"
    "ProtectKernelTunables=true"
    "LockPersonality=true"
    "ProtectControlGroups=true"
    ))
--- a/packages.lisp
+++ b/packages.lisp
@ -21,3 +21,7 @@
 (defpackage :sst-edit
  (:use :common-lisp)
  (:export :add-settings))
 (defpackage :sst-drop-ins
  (:use :common-lisp)
  (:export :*security-drop-ins*))
--- a/src/main.lisp
+++ b/src/main.lisp
@ -20,6 +20,8 @@
      (uiop:copy-file file (merge-pathnames backup)))
  ;; Apply the settings to the file.
  (let ((settings-table (systemd-parse:read-service file)))
    (if secure
        (sst-edit:add-settings sst-drop-ins:*security-drop-ins* settings-table))
    (sst-edit:add-settings direct-settings settings-table) ; Inject all the settings options required
    (systemd-parse:write-service file settings-table)))
--- a/sst.asd
+++ b/sst.asd
@ -23,7 +23,10 @@
                             (:file "ui")
                             (:file "edit")
                             (:file "main")
-                             )))
+                             ))
               (:module "lib"
                :serial t
                :components ((:file "preconfigs"))))
  :author "Judah Sotomayor <development@freedomland.xyz>"
  :maintainer "Judah Sotomayor <development@freedomland.xyz>"
  :license "GPLv3"
--- a/test/test.service
+++ b/test/test.service
@ -12,12 +12,18 @@ Type=notify
 Sockets=dbus.socket
 OOMScoreAdjust=-900
 LimitNOFILE=16384
-ProtectSystem=full
+ProtectSystem=strict
 PrivateTmp=false
 PrivateDevices=true
 ExecStart=/usr/bin/dbus-broker-launch --scope system --audit
 ExecReload=/usr/bin/busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig
 NewBinding=Yes
 InaccessiblePaths=/etc/shadow
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 LockPersonality=true
 ProtectControlGroups=true
 [Install]
 Alias=dbus.service