feat[lib,readme] Added -s flag

Added -s security flag. Added image to readme
2023-12-20 13:06:27 -05:00 · 2023-12-20 13:06:27 -05:00 · 31b4a31d60
commit 31b4a31d60
parent 99aa9bb433
7 changed files with 35 additions and 3 deletions
--- a/.assets/lisplogo_128.png
+++ b/.assets/lisplogo_128.png
--- a/README.org
+++ b/README.org
@ -12,10 +12,14 @@ and an easy-to-use command-line interface.
 * Features
 - [X] Edit systemd files from the command-line
 - [X] =-b= backup flag to save .systemd files into LOCATION.
- [ ] =-s= security flag to apply quick configurations
+- [X] =-s= security flag to apply quick configurations
+- [ ] =-S= security flag for extreme security.
+- [ ] =-n= security flag to block network reconfig
 - [ ] Default configurations for common services
 - [ ] Automatic Apache and Nginx =READWRITEPATHS= detection

+[[file:.assets/lisplogo_128.png][Lisp logo]]
+
 * Building
 The makefile is set up for steel bank common lisp, but it should be trivial to use another implementation that loads =asdf=.
 As of [2023-12-20] I have not knowingly used any sbcl-specific features.
--- a/lib/preconfigs.lisp
+++ b/lib/preconfigs.lisp
@ -0,0 +1,13 @@
+
+                                        ; This file will contain prebaked settings designed to be dropped in.
+
+(in-package :sst-drop-ins)
+(defparameter *security-drop-ins*
+  '("ProtectSystem=full"
+    "InaccessiblePaths=/etc/shadow"
+    "ProtectKernelLogs=true"
+    "ProtectKernelModules=true"
+    "ProtectKernelTunables=true"
+    "LockPersonality=true"
+    "ProtectControlGroups=true"
+    ))
--- a/packages.lisp
+++ b/packages.lisp
@ -21,3 +21,7 @@
 (defpackage :sst-edit
  (:use :common-lisp)
  (:export :add-settings))
+
+(defpackage :sst-drop-ins
+  (:use :common-lisp)
+  (:export :*security-drop-ins*))
--- a/src/main.lisp
+++ b/src/main.lisp
@ -20,6 +20,8 @@
      (uiop:copy-file file (merge-pathnames backup)))
  ;; Apply the settings to the file.
  (let ((settings-table (systemd-parse:read-service file)))
+    (if secure
+        (sst-edit:add-settings sst-drop-ins:*security-drop-ins* settings-table))
    (sst-edit:add-settings direct-settings settings-table) ; Inject all the settings options required
    (systemd-parse:write-service file settings-table)))

--- a/sst.asd
+++ b/sst.asd
@ -23,7 +23,10 @@
                             (:file "ui")
                             (:file "edit")
                             (:file "main")
-                             )))
+                             ))
+               (:module "lib"
+                :serial t
+                :components ((:file "preconfigs"))))
  :author "Judah Sotomayor <development@freedomland.xyz>"
  :maintainer "Judah Sotomayor <development@freedomland.xyz>"
  :license "GPLv3"
--- a/test/test.service
+++ b/test/test.service
@ -12,12 +12,18 @@ Type=notify
 Sockets=dbus.socket
 OOMScoreAdjust=-900
 LimitNOFILE=16384
-ProtectSystem=full
+ProtectSystem=strict
 PrivateTmp=false
 PrivateDevices=true
 ExecStart=/usr/bin/dbus-broker-launch --scope system --audit
 ExecReload=/usr/bin/busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig
 NewBinding=Yes
+InaccessiblePaths=/etc/shadow
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+ProtectControlGroups=true

 [Install]
 Alias=dbus.service