3b047b680a
- Use two separate //go:generate directives (Ja4Tc for tc_capture.c, Ja4Ssl
for uprobe_ssl.c) to avoid duplicate LICENSE symbol and multi-file clang issue
- Update loader.go to hold tcObjs/sslObjs separately with correct field names:
UprobeSslSetFd, UprobeSslReadEntry, UretprobeSslReadExit,
KprobeAccept4Entry, KretprobeAccept4Exit
- Add systemd-rpm-macros to all three RPM build stages (el8/el9/el10)
so that %{_unitdir} macro resolves correctly
- RPMs now build successfully for el8, el9, el10
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
42 lines
972 B
Desktop File
42 lines
972 B
Desktop File
[Unit]
|
|
Description=JA4 client fingerprinting daemon
|
|
Documentation=https://github.com/your-repo/ja4sentinel
|
|
After=network.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=notify
|
|
User=root
|
|
Group=root
|
|
WorkingDirectory=/var/lib/ja4sentinel
|
|
ExecStart=/usr/bin/ja4sentinel --config /etc/ja4sentinel/config.yml
|
|
ExecReload=/bin/kill -HUP $MAINPID
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
WatchdogSec=30
|
|
TimeoutStopSec=2
|
|
NotifyAccess=main
|
|
|
|
# Security hardening (compatible with root for packet capture)
|
|
ProtectSystem=strict
|
|
ProtectHome=yes
|
|
PrivateTmp=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
ProtectControlGroups=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
LockPersonality=yes
|
|
ReadWritePaths=/var/lib/ja4sentinel /var/log/ja4sentinel
|
|
|
|
# Capabilities for packet capture (inherited by root)
|
|
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
|
|
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
|
|
|
|
# Resource limits
|
|
LimitNOFILE=65536
|
|
LimitNPROC=64
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|