From a455248dd98ac685034994bfd1ae0c62f3c732f9 Mon Sep 17 00:00:00 2001 From: anti Date: Sun, 26 Apr 2026 04:29:10 -0400 Subject: [PATCH] feat(deploy): systemd unit for decnet-reuse-correlator Adds the systemd template for the credential-reuse correlator daemon and wires it into decnet.target so `decnet init` installs it automatically (the unit installer globs decnet-*.service.j2). Mirrors the mutator template: bus-woken Type=simple service with the standard hardening + on-failure restart. Also registers `reuse-correlator` in the in-process worker registry (so the dashboard panel surfaces its heartbeat instead of dropping it as unknown) and slots it into the start-all preferred order between mutator and webhook. --- .../router/workers/api_start_all_workers.py | 1 + decnet/web/worker_registry.py | 1 + deploy/decnet-reuse-correlator.service.j2 | 41 +++++++++++++++++++ deploy/decnet.target | 1 + 4 files changed, 44 insertions(+) create mode 100644 deploy/decnet-reuse-correlator.service.j2 diff --git a/decnet/web/router/workers/api_start_all_workers.py b/decnet/web/router/workers/api_start_all_workers.py index bc61a1fe..2177405d 100644 --- a/decnet/web/router/workers/api_start_all_workers.py +++ b/decnet/web/router/workers/api_start_all_workers.py @@ -25,6 +25,7 @@ _PREFERRED_ORDER: tuple[str, ...] = ( "sniffer", "prober", "mutator", + "reuse-correlator", "webhook", ) diff --git a/decnet/web/worker_registry.py b/decnet/web/worker_registry.py index 38e4e5d5..e823f307 100644 --- a/decnet/web/worker_registry.py +++ b/decnet/web/worker_registry.py @@ -38,6 +38,7 @@ KNOWN_WORKERS: tuple[str, ...] = ( "sniffer", "prober", "mutator", + "reuse-correlator", # credential-reuse pass — bus-woken on credential.captured "webhook", # external SIEM/SOAR egress — bus consumer → HMAC HTTP POSTs "agent", "forwarder", diff --git a/deploy/decnet-reuse-correlator.service.j2 b/deploy/decnet-reuse-correlator.service.j2 new file mode 100644 index 00000000..23f78988 --- /dev/null +++ b/deploy/decnet-reuse-correlator.service.j2 @@ -0,0 +1,41 @@ +[Unit] +Description=DECNET Credential-Reuse Correlator (cross-target secret-reuse detection) +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#reuse-correlator +After=network-online.target decnet-bus.service +Wants=network-online.target decnet-bus.service + +[Service] +Type=simple +User={{ user }} +Group={{ group }} +WorkingDirectory={{ install_dir }} +EnvironmentFile=-{{ install_dir }}/.env.local +Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.reuse-correlator.log +# Subscribes to credential.captured and attacker.observed; falls back to +# a 60s slow-tick poll when the bus is idle or unavailable. Publishes +# credential.reuse.detected once per new/grown finding. +ExecStart={{ venv_dir }}/bin/decnet reuse-correlate +StandardOutput=append:/var/log/decnet/decnet.reuse-correlator.log +StandardError=append:/var/log/decnet/decnet.reuse-correlator.log + +CapabilityBoundingSet= +AmbientCapabilities= + +# Security Hardening +NoNewPrivileges=yes +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +RestrictSUIDSGID=yes +LockPersonality=yes +ReadWritePaths={{ install_dir }} /var/log/decnet + +Restart=on-failure +RestartSec=5 +TimeoutStopSec=15 + +[Install] +WantedBy=multi-user.target diff --git a/deploy/decnet.target b/deploy/decnet.target index 7e25a177..5b51ccbe 100644 --- a/deploy/decnet.target +++ b/deploy/decnet.target @@ -13,6 +13,7 @@ Wants=decnet-bus.service \ decnet-sniffer.service \ decnet-prober.service \ decnet-mutator.service \ + decnet-reuse-correlator.service \ decnet-webhook.service After=decnet-bus.service