refactor: service installation for isolation and security; add uninstaller

- Run Linux EDR under dedicated 'linux-edr' user and group
- Install package into isolated uv virtual environment at /opt/linux-edr
- Update systemd service to use non-root user, set custom PATH and working directory
- Enable key syscall tracepoints on service start
- Restrict file access and add necessary capabilities (CAP_DAC_OVERRIDE, CAP_SYS_ADMIN)
- Ensure proper ownership and permissions for log and config directories
- Add uninstall_service.sh script for clean removal of service and data

Author: scc-tw

install_service.sh

@@ -22,25 +22,40 @@ if [ ! -f /usr/bin/uv ]; then
   ln -sf $(which uv) /usr/bin/uv
 fi
 
-# Install the Python package in development mode
-echo "Installing Linux EDR Python package..."
-uv pip install -e .
+# Create service user and group
+echo "Creating service user..."
+useradd -r -s /sbin/nologin linux-edr || true
 
-# Create log directory
+# Create virtual environment directory and venv
+VENV_DIR="/opt/linux-edr"
+if [ ! -d "$VENV_DIR" ]; then
+  echo "Creating virtual environment with uv..."
+  mkdir -p "$VENV_DIR"
+  uv venv "$VENV_DIR"
+fi
+
+# copy this all to VENV_DIR
+cp -r . "$VENV_DIR"
+
+# Install the Python package into the venv using its uv
+echo "Installing Linux EDR Python package into virtual environment..."
+uv pip install .
+
+# Create log directory and set permissions
 echo "Creating log directory..."
 mkdir -p /var/log/linux-edr
+chown linux-edr:linux-edr /var/log/linux-edr
 chmod 750 /var/log/linux-edr
 
-# Copy service file to systemd directory
-echo "Installing systemd service..."
-cp linux-edr.service /etc/systemd/system/
-
 # Create default config directory if it doesn't exist
 mkdir -p /etc/linux_edr
+chown linux-edr:linux-edr /etc/linux_edr
 
 # Copy default config and update with OpenAI API key
 echo "Installing configuration..."
 cp linux_edr/config.ini /etc/linux_edr/
+chown linux-edr:linux-edr /etc/linux_edr/config.ini
+chmod 600 /etc/linux_edr/config.ini
 
 # Prompt for OpenAI API key
 echo ""
@@ -51,9 +66,12 @@ if [ ! -z "$api_key" ]; then
   # Update the config file with the API key
   echo "Setting OpenAI API key in config file..."
   sed -i "s/^api_key =.*/api_key = $api_key/" /etc/linux_edr/config.ini
-  chmod 600 /etc/linux_edr/config.ini
 fi
 
+# Copy service file to systemd directory
+echo "Installing systemd service..."
+cp linux-edr.service /etc/systemd/system/
+
 # Reload systemd
 systemctl daemon-reload
 
@@ -64,5 +82,8 @@ echo ""
 echo "To check status:"
 echo "  systemctl status linux-edr.service"
 echo ""
+echo "To view logs:"
+echo "  journalctl -u linux-edr.service -f"
+echo ""
 echo "Configuration file is at /etc/linux_edr/config.ini"
 echo "Note: The config file permissions are set to 600 to protect the API key" 

linux-edr.service

@@ -4,19 +4,32 @@ After=network.target
 
 [Service]
 Type=simple
-User=root
+User=linux-edr
+Group=linux-edr
+Environment="PYTHONUNBUFFERED=1"
+Environment="PATH=/opt/linux-edr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+WorkingDirectory=/opt/linux-edr
 ExecStartPre=/bin/sh -c 'echo 1 > /sys/kernel/tracing/events/syscalls/sys_enter_execve/enable'
-ExecStart=/usr/bin/uv run python -m linux_edr.cli run --output /var/log/linux-edr/reports.jsonl
+ExecStartPre=/bin/sh -c 'echo 1 > /sys/kernel/tracing/events/syscalls/sys_exit_execve/enable'
+ExecStartPre=/bin/sh -c 'echo 1 > /sys/kernel/tracing/events/syscalls/sys_enter_fork/enable'
+ExecStartPre=/bin/sh -c 'echo 1 > /sys/kernel/tracing/events/syscalls/sys_exit_fork/enable'
+ExecStartPre=/bin/sh -c 'echo 1 > /sys/kernel/tracing/events/syscalls/sys_enter_clone/enable'
+ExecStartPre=/bin/sh -c 'echo 1 > /sys/kernel/tracing/events/syscalls/sys_exit_clone/enable'
+ExecStartPre=/bin/sh -c 'echo 1 > /sys/kernel/tracing/events/syscalls/sys_enter_connect/enable'
+ExecStartPre=/bin/sh -c 'echo 1 > /sys/kernel/tracing/events/syscalls/sys_exit_connect/enable'
+ExecStart=uv run python -m linux_edr.cli run --output /var/log/linux-edr/reports.jsonl
 Restart=on-failure
 RestartSec=5
 StandardOutput=journal
 StandardError=journal
 
 # Security hardening
 ProtectSystem=full
-ReadWritePaths=/var/log/linux-edr
+ReadWritePaths=/var/log/linux-edr /etc/linux_edr /opt/linux-edr
 PrivateTmp=true
-NoNewPrivileges=true
+NoNewPrivileges=false
+CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYS_ADMIN
+AmbientCapabilities=CAP_DAC_OVERRIDE CAP_SYS_ADMIN
 
 [Install]
 WantedBy=multi-user.target 

uninstall_service.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+set -e
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then
+  echo "Please run as root to uninstall the service"
+  exit 1
+fi
+
+echo "Uninstalling Linux EDR service..."
+
+# Stop and disable the service if it's running
+if systemctl is-active --quiet linux-edr.service; then
+  echo "Stopping Linux EDR service..."
+  systemctl stop linux-edr.service
+fi
+
+if systemctl is-enabled --quiet linux-edr.service 2>/dev/null; then
+  echo "Disabling Linux EDR service..."
+  systemctl disable linux-edr.service
+fi
+
+# Remove the systemd service file
+if [ -f /etc/systemd/system/linux-edr.service ]; then
+  echo "Removing systemd service file..."
+  rm -f /etc/systemd/system/linux-edr.service
+  systemctl daemon-reload
+fi
+
+# Remove the virtual environment
+if [ -d "/opt/linux-edr" ]; then
+  echo "Removing virtual environment..."
+  rm -rf /opt/linux-edr
+fi
+
+# Remove logs
+if [ -d "/var/log/linux-edr" ]; then
+  echo "Removing log directory and all logs..."
+  rm -rf /var/log/linux-edr
+fi
+
+# Remove configuration
+if [ -d "/etc/linux_edr" ]; then
+  echo "Removing configuration directory..."
+  rm -rf /etc/linux_edr
+fi
+
+# Remove the service user
+if id "linux-edr" &>/dev/null; then
+  echo "Removing service user..."
+  userdel linux-edr
+fi
+
+echo "Linux EDR service has been completely uninstalled and all data has been removed."
+echo "If you installed any dependencies specifically for this service, you may remove them manually."