b137b3df85
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
- Change systemd service to run as root instead of ja4sentinel user - Remove user/group creation from RPM spec (%pre script) - Update %post to set root:root ownership on directories - Adjust security hardening for root execution (ProtectSystem=strict) - Add ReadWritePaths for writable directories Fixes: systemd error 'Failed at step USER spawning /usr/bin/ja4sentinel: No such process' Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
39 lines
926 B
Desktop File
39 lines
926 B
Desktop File
[Unit]
|
|
Description=JA4 client fingerprinting daemon
|
|
Documentation=https://github.com/your-repo/ja4sentinel
|
|
After=network.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=root
|
|
Group=root
|
|
WorkingDirectory=/var/lib/ja4sentinel
|
|
ExecStart=/usr/bin/ja4sentinel --config /etc/ja4sentinel/config.yml
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
Environment=JA4SENTINEL_LOG_LEVEL=info
|
|
|
|
# Security hardening (compatible with root for packet capture)
|
|
ProtectSystem=strict
|
|
ProtectHome=yes
|
|
PrivateTmp=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
ProtectControlGroups=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
LockPersonality=yes
|
|
ReadWritePaths=/var/lib/ja4sentinel /var/log/ja4sentinel
|
|
|
|
# Capabilities for packet capture (inherited by root)
|
|
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
|
|
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
|
|
|
|
# Resource limits
|
|
LimitNOFILE=65536
|
|
LimitNPROC=64
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|