cm/cm-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 274 Wiki Activity

Add sandbox column and security-based service status

Browse Source 
Add new "SB" column to services widget showing systemd sandboxing status.
Service status now reflects security posture with unsandboxed services
showing as degraded/warning status.

Changes:
- Add is_sandboxed field to ServiceData and ServiceInfo structs
- Add check_service_sandbox method detecting systemd hardening features
- Add format_sandbox_value function showing "yes"/"no" for sandboxing
- Update service status determination to consider sandbox status:
  - Sandboxed + Running = "Running" (green/ok)
  - Unsandboxed + Running = "Degraded" (yellow/warning)
  - Failed services = "Stopped" (red/critical)
- Add "SB" column header to services widget

Services without proper NixOS hardening (PrivateTmp, ProtectSystem, etc.)
now show warning status to highlight security concerns.
This commit is contained in:
Christoffer Martinsson
2025-10-14 11:18:07 +02:00
parent 17dda1ae67
commit 4fa2b079f1
3 changed files with 124 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dashboard/src/data/metrics.rs
View File

@@ -119,6 +119,8 @@ pub struct ServiceInfo {
#[serde(default)]
pub disk_quota_gb: f32,
#[serde(default)]
pub is_sandboxed: bool,
#[serde(default)]
pub description: Option<Vec<String>>,
#[serde(default)]
pub sub_service: Option<String>,