feat(deploy): systemd unit for decnet-reuse-correlator

Adds the systemd template for the credential-reuse correlator daemon and wires it into decnet.target so `decnet init` installs it automatically (the unit installer globs decnet-*.service.j2). Mirrors the mutator template: bus-woken Type=simple service with the standard hardening + on-failure restart. Also registers `reuse-correlator` in the in-process worker registry (so the dashboard panel surfaces its heartbeat instead of dropping it as unknown) and slots it into the start-all preferred order between mutator and webhook.
2026-04-26 04:29:10 -04:00
parent 5fb7ebe433
commit a455248dd9
4 changed files with 44 additions and 0 deletions
--- a/decnet/web/router/workers/api_start_all_workers.py
+++ b/decnet/web/router/workers/api_start_all_workers.py
@@ -25,6 +25,7 @@ _PREFERRED_ORDER: tuple[str, ...] = (
    "sniffer",
    "prober",
    "mutator",
+    "reuse-correlator",
    "webhook",
 )

--- a/decnet/web/worker_registry.py
+++ b/decnet/web/worker_registry.py
@@ -38,6 +38,7 @@ KNOWN_WORKERS: tuple[str, ...] = (
    "sniffer",
    "prober",
    "mutator",
+    "reuse-correlator",  # credential-reuse pass — bus-woken on credential.captured
    "webhook",    # external SIEM/SOAR egress — bus consumer → HMAC HTTP POSTs
    "agent",
    "forwarder",
--- a/deploy/decnet-reuse-correlator.service.j2
+++ b/deploy/decnet-reuse-correlator.service.j2
@@ -0,0 +1,41 @@
+[Unit]
+Description=DECNET Credential-Reuse Correlator (cross-target secret-reuse detection)
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#reuse-correlator
+After=network-online.target decnet-bus.service
+Wants=network-online.target decnet-bus.service
+
+[Service]
+Type=simple
+User={{ user }}
+Group={{ group }}
+WorkingDirectory={{ install_dir }}
+EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.reuse-correlator.log
+# Subscribes to credential.captured and attacker.observed; falls back to
+# a 60s slow-tick poll when the bus is idle or unavailable. Publishes
+# credential.reuse.detected once per new/grown finding.
+ExecStart={{ venv_dir }}/bin/decnet reuse-correlate
+StandardOutput=append:/var/log/decnet/decnet.reuse-correlator.log
+StandardError=append:/var/log/decnet/decnet.reuse-correlator.log
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+ReadWritePaths={{ install_dir }} /var/log/decnet
+
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=15
+
+[Install]
+WantedBy=multi-user.target
--- a/deploy/decnet.target
+++ b/deploy/decnet.target
@@ -13,6 +13,7 @@ Wants=decnet-bus.service \
      decnet-sniffer.service \
      decnet-prober.service \
      decnet-mutator.service \
+      decnet-reuse-correlator.service \
      decnet-webhook.service
 After=decnet-bus.service