feat(deploy): systemd unit for decnet-reuse-correlator
Adds the systemd template for the credential-reuse correlator daemon and wires it into decnet.target so `decnet init` installs it automatically (the unit installer globs decnet-*.service.j2). Mirrors the mutator template: bus-woken Type=simple service with the standard hardening + on-failure restart. Also registers `reuse-correlator` in the in-process worker registry (so the dashboard panel surfaces its heartbeat instead of dropping it as unknown) and slots it into the start-all preferred order between mutator and webhook.
This commit is contained in:
@@ -25,6 +25,7 @@ _PREFERRED_ORDER: tuple[str, ...] = (
|
|||||||
"sniffer",
|
"sniffer",
|
||||||
"prober",
|
"prober",
|
||||||
"mutator",
|
"mutator",
|
||||||
|
"reuse-correlator",
|
||||||
"webhook",
|
"webhook",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|||||||
@@ -38,6 +38,7 @@ KNOWN_WORKERS: tuple[str, ...] = (
|
|||||||
"sniffer",
|
"sniffer",
|
||||||
"prober",
|
"prober",
|
||||||
"mutator",
|
"mutator",
|
||||||
|
"reuse-correlator", # credential-reuse pass — bus-woken on credential.captured
|
||||||
"webhook", # external SIEM/SOAR egress — bus consumer → HMAC HTTP POSTs
|
"webhook", # external SIEM/SOAR egress — bus consumer → HMAC HTTP POSTs
|
||||||
"agent",
|
"agent",
|
||||||
"forwarder",
|
"forwarder",
|
||||||
|
|||||||
41
deploy/decnet-reuse-correlator.service.j2
Normal file
41
deploy/decnet-reuse-correlator.service.j2
Normal file
@@ -0,0 +1,41 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=DECNET Credential-Reuse Correlator (cross-target secret-reuse detection)
|
||||||
|
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#reuse-correlator
|
||||||
|
After=network-online.target decnet-bus.service
|
||||||
|
Wants=network-online.target decnet-bus.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
User={{ user }}
|
||||||
|
Group={{ group }}
|
||||||
|
WorkingDirectory={{ install_dir }}
|
||||||
|
EnvironmentFile=-{{ install_dir }}/.env.local
|
||||||
|
Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.reuse-correlator.log
|
||||||
|
# Subscribes to credential.captured and attacker.observed; falls back to
|
||||||
|
# a 60s slow-tick poll when the bus is idle or unavailable. Publishes
|
||||||
|
# credential.reuse.detected once per new/grown finding.
|
||||||
|
ExecStart={{ venv_dir }}/bin/decnet reuse-correlate
|
||||||
|
StandardOutput=append:/var/log/decnet/decnet.reuse-correlator.log
|
||||||
|
StandardError=append:/var/log/decnet/decnet.reuse-correlator.log
|
||||||
|
|
||||||
|
CapabilityBoundingSet=
|
||||||
|
AmbientCapabilities=
|
||||||
|
|
||||||
|
# Security Hardening
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
ProtectSystem=full
|
||||||
|
ProtectHome=read-only
|
||||||
|
PrivateTmp=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
RestrictSUIDSGID=yes
|
||||||
|
LockPersonality=yes
|
||||||
|
ReadWritePaths={{ install_dir }} /var/log/decnet
|
||||||
|
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=5
|
||||||
|
TimeoutStopSec=15
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
@@ -13,6 +13,7 @@ Wants=decnet-bus.service \
|
|||||||
decnet-sniffer.service \
|
decnet-sniffer.service \
|
||||||
decnet-prober.service \
|
decnet-prober.service \
|
||||||
decnet-mutator.service \
|
decnet-mutator.service \
|
||||||
|
decnet-reuse-correlator.service \
|
||||||
decnet-webhook.service
|
decnet-webhook.service
|
||||||
After=decnet-bus.service
|
After=decnet-bus.service
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user