From 05ec7abf6fc9a0cfdb87171254687087b04ba4f5 Mon Sep 17 00:00:00 2001 From: 13621 Date: Sun, 22 Dec 2024 21:37:48 +0100 Subject: [PATCH] soarca: init at 1.1.0-beta-1-unstable-2024-12-19 --- .../manual/release-notes/rl-2505.section.md | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/services/security/soarca.nix | 117 ++++++++++++++++++ nixos/tests/all-tests.nix | 1 + nixos/tests/soarca.nix | 22 ++++ pkgs/by-name/so/soarca/package.nix | 71 +++++++++++ 6 files changed, 214 insertions(+) create mode 100644 nixos/modules/services/security/soarca.nix create mode 100644 nixos/tests/soarca.nix create mode 100644 pkgs/by-name/so/soarca/package.nix diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md index fcbb79618dcfc..dc9422e2d58be 100644 --- a/nixos/doc/manual/release-notes/rl-2505.section.md +++ b/nixos/doc/manual/release-notes/rl-2505.section.md @@ -44,6 +44,8 @@ - [Whoogle Search](https://github.com/benbusby/whoogle-search), a self-hosted, ad-free, privacy-respecting metasearch engine. Available as [services.whoogle-search](options.html#opt-services.whoogle-search.enable). +- [SOARCA](https://github.com/COSSAS/SOARCA), an open source CACAO-based security orchestrator. Available as [services.soarca](options.html#opt-services.soarca.enable). + - [agorakit](https://github.com/agorakit/agorakit), an organization tool for citizens' collectives. Available with [services.agorakit](options.html#opt-services.agorakit.enable). - [waagent](https://github.com/Azure/WALinuxAgent), the Microsoft Azure Linux Agent (waagent) manages Linux provisioning and VM interaction with the Azure Fabric Controller. Available with [services.waagent](options.html#opt-services.waagent.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 2bfb963c19dfc..93ee9e75f24af 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1365,6 +1365,7 @@ ./services/security/physlock.nix ./services/security/shibboleth-sp.nix ./services/security/sks.nix + ./services/security/soarca.nix ./services/security/sshguard.nix ./services/security/sslmate-agent.nix ./services/security/step-ca.nix diff --git a/nixos/modules/services/security/soarca.nix b/nixos/modules/services/security/soarca.nix new file mode 100644 index 0000000000000..5f95d758be13b --- /dev/null +++ b/nixos/modules/services/security/soarca.nix @@ -0,0 +1,117 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.services.soarca; +in +{ + options.services.soarca = { + enable = lib.mkEnableOption "SOARCA"; + package = lib.mkPackageOption pkgs "soarca" { }; + + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = + with lib.types; + attrsOf ( + nullOr (oneOf [ + bool + int + str + ]) + ); + options = { }; + }; + default = { }; + example = { + PORT = 9000; + GIN_MODE = "release"; + DATABASE = false; + }; + description = '' + See [the wiki](https://cossas.github.io/SOARCA/docs/installation-configuration/) for available settings. + ''; + }; + + user = lib.mkOption { + type = lib.types.str; + default = "soarca"; + description = "User under which SOARCA will run."; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "soarca"; + description = "Group under which SOARCA will run."; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.packages = [ cfg.package ]; + + systemd.services.soarca = { + description = "SOARCA Service"; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; + + environment = lib.mapAttrs ( + _: v: if lib.isBool v then lib.boolToString v else toString v + ) cfg.settings; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${lib.getExe cfg.package}"; + Restart = "on-failure"; + RestartSec = "5"; + + # hardening + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + ProtectSystem = "strict"; + ProtectHome = "true"; + ProtectProc = "invisible"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@clock @swap @reboot @raw-io @privileged @obsolete @mount @module @debug @cpu-emulation" + ]; + CapabilityBoundingSet = [ "" ]; + RestrictNamespaces = true; + ProcSubset = "pid"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + }; + }; + + users.users = lib.optionalAttrs (cfg.user == "soarca") { + soarca = { + group = cfg.group; + isNormalUser = true; + }; + }; + + users.groups = lib.optionalAttrs (cfg.group == "soarca") { + soarca = { }; + }; + }; + + meta.maintainers = with lib.maintainers; [ _13621 ]; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 516ab9f84e126..5fca08cf91d05 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -949,6 +949,7 @@ in { snapper = handleTest ./snapper.nix {}; snipe-it = runTest ./web-apps/snipe-it.nix; soapui = handleTest ./soapui.nix {}; + soarca = handleTest ./soarca.nix {}; soft-serve = handleTest ./soft-serve.nix {}; sogo = handleTest ./sogo.nix {}; soju = handleTest ./soju.nix {}; diff --git a/nixos/tests/soarca.nix b/nixos/tests/soarca.nix new file mode 100644 index 0000000000000..d7a8db19775b9 --- /dev/null +++ b/nixos/tests/soarca.nix @@ -0,0 +1,22 @@ +import ./make-test-python.nix ( + { lib, pkgs, ... }: + { + name = "soarca"; + meta.maintainers = with lib.maintainers; [ _13621 ]; + + nodes.machine = { + services.soarca = { + package = pkgs.soarca; + enable = true; + settings.PORT = 8475; + }; + }; + + testScript = '' + machine.wait_for_unit("soarca.service") + machine.wait_for_open_port(8475) + + machine.succeed("curl --fail http://localhost:8475/status/ping | grep 'pong'") + ''; + } +) diff --git a/pkgs/by-name/so/soarca/package.nix b/pkgs/by-name/so/soarca/package.nix new file mode 100644 index 0000000000000..276962e6bf028 --- /dev/null +++ b/pkgs/by-name/so/soarca/package.nix @@ -0,0 +1,71 @@ +{ + lib, + buildGoModule, + fetchFromGitHub, + go-swag, + nixosTests, + nix-update-script, +}: + +buildGoModule { + pname = "soarca"; + version = "1.1.0-beta-1-unstable-2024-12-19"; + + src = fetchFromGitHub { + owner = "COSSAS"; + repo = "SOARCA"; + rev = "fe560ac6d5c7b372c81cec16937782758a089f26"; + hash = "sha256-4QN6zx2TajUIERH+YqmuNUb/ZbJHUWKrHdrOiyHXsWc="; + }; + + vendorHash = "sha256-pATXKcPbAvh8Hsa3v2TkQq8AqN+RVNirT1OegdShWwQ="; + + ldflags = [ + "-s" + "-w" + ]; + + preBuild = '' + mkdir -p api + ${lib.getExe go-swag} init -g cmd/soarca/main.go -o api + ''; + + checkFlags = + let + skippedTests = [ + # require internet access + "TestHttpConnection" + "TestHttpOAuth2" + "TestHttpBasicAuth" + "TestHttpBearerToken" + "TestHttpPostWithContentConnection" + "TestHttpPostWithBase64ContentConnection" + "TestHttpPostConnection" + "TestHttpPutConnection" + "TestHttpDeleteConnection" + "TestHttpStatus200" + "TestHttpGetConnection" + "TestInsecureHTTPConnection" + "TestSshConnection" + "TestConnect" # times out + # integrations + "TestPowershellConnection" + "TestTheHiveConnection" + "TestTheHiveReporting" + ]; + in + [ "-skip=^${builtins.concatStringsSep "$|^" skippedTests}$" ]; + + passthru = { + tests.soarca = nixosTests.soarca; + updateScript = nix-update-script { }; + }; + + meta = { + description = "Open Source CACAO-based Security Orchestrator"; + homepage = "https://github.com/COSSAS/SOARCA"; + license = lib.licenses.asl20; + maintainers = with lib.maintainers; [ _13621 ]; + mainProgram = "soarca"; + }; +}