Cross-Platform Security Service Architecture in Rust#

Introduction#

Building security services that run reliably across different operating systems is a complex challenge. Each platform has its own service management system, security models, and operational requirements. Rust’s cross-platform capabilities, combined with modern async patterns, provide an excellent foundation for building enterprise-grade security daemons.

In this comprehensive guide, we’ll architect and implement a production-ready security monitoring service that runs natively on Linux (systemd), Windows Services, and macOS launch daemons, while maintaining consistent behavior and security guarantees across all platforms.

Architecture Overview#

Design Principles#

Our cross-platform security service architecture follows these core principles:

Platform Abstraction: Hide OS-specific details behind clean interfaces
Async-First: Use Tokio for efficient resource utilization
Security by Default: Privilege dropping, input validation, secure defaults
Observable: Built-in metrics, logging, and health checks
Configurable: Layered configuration with validation
Testable: Modular design enabling comprehensive testing

High-Level Architecture#

1
┌─────────────────────────────────────────────────────────────┐
2
│                    Service Entry Point                       │
3
├─────────────────────────────────────────────────────────────┤
4
│                  Platform Abstraction Layer                  │
5
│  ┌─────────────┐  ┌──────────────┐  ┌─────────────────┐   │
6
│  │   systemd   │  │   Windows    │  │     macOS       │   │
7
│  │  Integration │  │   Service    │  │  Launch Daemon  │   │
8
│  └─────────────┘  └──────────────┘  └─────────────────┘   │
9
├─────────────────────────────────────────────────────────────┤
10
│                    Core Service Logic                        │
11
│  ┌─────────────┐  ┌──────────────┐  ┌─────────────────┐   │
12
│  │   Config    │  │   Security   │  │   Monitoring    │   │
13
│  │  Manager    │  │   Engine     │  │    Engine       │   │
14
│  └─────────────┘  └──────────────┘  └─────────────────┘   │
15
├─────────────────────────────────────────────────────────────┤
16
│                     Async Runtime (Tokio)                    │
17
└─────────────────────────────────────────────────────────────┘

Project Setup#

Dependencies#

1
[package]
2
name = "security-service"
3
version = "1.0.0"
4
edition = "2021"
5

6
[dependencies]
7
# Async runtime
8
tokio = { version = "1.35", features = ["full"] }
9
tokio-util = { version = "0.7", features = ["codec"] }
10

11
# Cross-platform service management
12
async-trait = "0.1"
13

14
# Platform-specific dependencies
15
[target.'cfg(windows)'.dependencies]
16
windows-service = "0.6"
17
windows = { version = "0.52", features = [
18
    "Win32_Foundation",
19
    "Win32_Security",
20
    "Win32_System_Services",
21
] }
22

23
[target.'cfg(target_os = "linux")'.dependencies]
24
sd-notify = "0.4"
25
nix = { version = "0.27", features = ["user", "signal"] }
26

27
[target.'cfg(target_os = "macos")'.dependencies]
28
launchd = "0.2"
29
nix = { version = "0.27", features = ["user", "signal"] }
30

31
# Common dependencies
32
serde = { version = "1.0", features = ["derive"] }
33
serde_json = "1.0"
34
config = "0.13"
35
tracing = "0.1"
36
tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
37
tracing-appender = "0.2"
38
anyhow = "1.0"
39
thiserror = "1.0"
40
clap = { version = "4.4", features = ["derive"] }
41
uuid = { version = "1.6", features = ["v4", "serde"] }
42
chrono = { version = "0.4", features = ["serde"] }
43
prometheus = { version = "0.13", features = ["process"] }
44
reqwest = { version = "0.11", features = ["json", "rustls-tls"] }
45
sqlx = { version = "0.7", features = ["runtime-tokio-rustls", "sqlite"] }
46

47
# Security dependencies
48
ring = "0.17"
49
rustls = "0.22"
50
password-hash = "0.5"
51
argon2 = "0.5"
52

53
[dev-dependencies]
54
tempfile = "3.8"
55
mockall = "0.12"
56
proptest = "1.4"
57
criterion = "0.5"
58

59
[[bin]]
60
name = "security-service"
61
path = "src/main.rs"

Project Structure#

1
security-service/
2
├── Cargo.toml
3
├── src/
4
│   ├── main.rs
5
│   ├── service/
6
│   │   ├── mod.rs
7
│   │   ├── core.rs
8
│   │   ├── linux.rs
9
│   │   ├── windows.rs
10
│   │   └── macos.rs
11
│   ├── config/
12
│   │   ├── mod.rs
13
│   │   └── validation.rs
14
│   ├── security/
15
│   │   ├── mod.rs
16
│   │   ├── auth.rs
17
│   │   ├── crypto.rs
18
│   │   └── audit.rs
19
│   ├── monitoring/
20
│   │   ├── mod.rs
21
│   │   ├── collector.rs
22
│   │   └── analyzer.rs
23
│   └── api/
24
│       ├── mod.rs
25
│       └── handlers.rs
26
├── config/
27
│   ├── default.toml
28
│   ├── production.toml
29
│   └── development.toml
30
└── scripts/
31
    ├── install-linux.sh
32
    ├── install-windows.ps1
33
    └── install-macos.sh

Core Service Implementation#

Service Trait Definition#

1
use async_trait::async_trait;
2
use std::future::Future;
3
use std::pin::Pin;
4
use anyhow::Result;
5

6
#[async_trait]
7
pub trait ServiceController: Send + Sync {
8
    /// Initialize the service
9
    async fn initialize(&mut self) -> Result<()>;
10

11
    /// Start the service
12
    async fn start(&mut self) -> Result<()>;
13

14
    /// Stop the service gracefully
15
    async fn stop(&mut self) -> Result<()>;
16

17
    /// Handle platform-specific control events
18
    async fn handle_control_event(&mut self, event: ControlEvent) -> Result<()>;
19

20
    /// Get service status
21
    fn status(&self) -> ServiceStatus;
22
}
23

24
#[derive(Debug, Clone)]
25
pub enum ControlEvent {
26
    Stop,
27
    Pause,
28
    Continue,
29
    Reload,
30
    Custom(String),
31
}
32

33
#[derive(Debug, Clone, PartialEq)]
34
pub enum ServiceStatus {
35
    Stopped,
36
    Starting,
37
    Running,
38
    Stopping,
39
    Paused,
40
    Error(String),
41
}
42

43
/// Platform-specific service implementation
44
#[cfg(target_os = "linux")]
45
pub type PlatformService = linux::LinuxService;
46

47
#[cfg(target_os = "windows")]
48
pub type PlatformService = windows::WindowsService;
49

50
#[cfg(target_os = "macos")]
51
pub type PlatformService = macos::MacOSService;

Core Service Logic#

1
use super::*;
2
use crate::config::Config;
3
use crate::security::SecurityEngine;
4
use crate::monitoring::MonitoringEngine;
5
use tokio::sync::{broadcast, RwLock};
6
use std::sync::Arc;
7
use tracing::{info, error, debug};
8

9
pub struct SecurityService {
10
    config: Arc<RwLock<Config>>,
11
    security_engine: Arc<SecurityEngine>,
12
    monitoring_engine: Arc<MonitoringEngine>,
13
    status: Arc<RwLock<ServiceStatus>>,
14
    shutdown_tx: broadcast::Sender<()>,
15
    tasks: Vec<tokio::task::JoinHandle<()>>,
16
}
17

18
impl SecurityService {
19
    pub fn new(config: Config) -> Result<Self> {
20
        let (shutdown_tx, _) = broadcast::channel(16);
21

22
        Ok(Self {
23
            config: Arc::new(RwLock::new(config)),
24
            security_engine: Arc::new(SecurityEngine::new()?),
25
            monitoring_engine: Arc::new(MonitoringEngine::new()?),
26
            status: Arc::new(RwLock::new(ServiceStatus::Stopped)),
27
            shutdown_tx,
28
            tasks: Vec::new(),
29
        })
30
    }
31

32
    async fn update_status(&self, status: ServiceStatus) {
33
        let mut current = self.status.write().await;
34
        *current = status;
35
    }
36

37
    async fn spawn_monitoring_task(&mut self) -> Result<()> {
38
        let engine = Arc::clone(&self.monitoring_engine);
39
        let mut shutdown_rx = self.shutdown_tx.subscribe();
40
        let config = Arc::clone(&self.config);
41

42
        let task = tokio::spawn(async move {
43
            let mut interval = tokio::time::interval(
44
                tokio::time::Duration::from_secs(10)
45
            );
46

47
            loop {
48
                tokio::select! {
49
                    _ = interval.tick() => {
50
                        if let Err(e) = engine.collect_metrics(&config).await {
51
                            error!("Monitoring error: {}", e);
52
                        }
53
                    }
54
                    _ = shutdown_rx.recv() => {
55
                        info!("Monitoring task shutting down");
56
                        break;
57
                    }
58
                }
59
            }
60
        });
61

62
        self.tasks.push(task);
63
        Ok(())
64
    }
65

66
    async fn spawn_security_task(&mut self) -> Result<()> {
67
        let engine = Arc::clone(&self.security_engine);
68
        let mut shutdown_rx = self.shutdown_tx.subscribe();
69

70
        let task = tokio::spawn(async move {
71
            let mut interval = tokio::time::interval(
72
                tokio::time::Duration::from_secs(5)
73
            );
74

75
            loop {
76
                tokio::select! {
77
                    _ = interval.tick() => {
78
                        if let Err(e) = engine.check_threats().await {
79
                            error!("Security check error: {}", e);
80
                        }
81
                    }
82
                    _ = shutdown_rx.recv() => {
83
                        info!("Security task shutting down");
84
                        break;
85
                    }
86
                }
87
            }
88
        });
89

90
        self.tasks.push(task);
91
        Ok(())
92
    }
93
}
94

95
#[async_trait]
96
impl ServiceController for SecurityService {
97
    async fn initialize(&mut self) -> Result<()> {
98
        info!("Initializing security service");
99
        self.update_status(ServiceStatus::Starting).await;
100

101
        // Load configuration
102
        let config = self.config.read().await;
103

104
        // Initialize security engine
105
        self.security_engine.initialize(&config).await?;
106

107
        // Initialize monitoring engine
108
        self.monitoring_engine.initialize(&config).await?;
109

110
        // Drop privileges if running as root
111
        #[cfg(unix)]
112
        if nix::unistd::geteuid().is_root() {
113
            drop_privileges(&config)?;
114
        }
115

116
        info!("Security service initialized");
117
        Ok(())
118
    }
119

120
    async fn start(&mut self) -> Result<()> {
121
        info!("Starting security service");
122

123
        // Spawn background tasks
124
        self.spawn_monitoring_task().await?;
125
        self.spawn_security_task().await?;
126

127
        // Start API server
128
        let api_task = crate::api::start_server(
129
            Arc::clone(&self.config),
130
            self.shutdown_tx.subscribe(),
131
        ).await?;
132
        self.tasks.push(api_task);
133

134
        self.update_status(ServiceStatus::Running).await;
135
        info!("Security service started successfully");
136

137
        Ok(())
138
    }
139

140
    async fn stop(&mut self) -> Result<()> {
141
        info!("Stopping security service");
142
        self.update_status(ServiceStatus::Stopping).await;
143

144
        // Send shutdown signal
145
        let _ = self.shutdown_tx.send(());
146

147
        // Wait for all tasks to complete
148
        for task in self.tasks.drain(..) {
149
            if let Err(e) = task.await {
150
                error!("Task join error: {}", e);
151
            }
152
        }
153

154
        // Cleanup
155
        self.security_engine.shutdown().await?;
156
        self.monitoring_engine.shutdown().await?;
157

158
        self.update_status(ServiceStatus::Stopped).await;
159
        info!("Security service stopped");
160

161
        Ok(())
162
    }
163

164
    async fn handle_control_event(&mut self, event: ControlEvent) -> Result<()> {
165
        match event {
166
            ControlEvent::Stop => self.stop().await,
167
            ControlEvent::Reload => {
168
                info!("Reloading configuration");
169
                let new_config = Config::load().await?;
170
                let mut config = self.config.write().await;
171
                *config = new_config;
172
                Ok(())
173
            }
174
            ControlEvent::Custom(cmd) => {
175
                debug!("Received custom command: {}", cmd);
176
                Ok(())
177
            }
178
            _ => Ok(()),
179
        }
180
    }
181

182
    fn status(&self) -> ServiceStatus {
183
        futures::executor::block_on(async {
184
            self.status.read().await.clone()
185
        })
186
    }
187
}
188

189
#[cfg(unix)]
190
fn drop_privileges(config: &Config) -> Result<()> {
191
    use nix::unistd::{setuid, setgid, Uid, Gid};
192

193
    // Get configured user/group
194
    let username = config.service.run_as_user.as_ref()
195
        .ok_or_else(|| anyhow::anyhow!("run_as_user not configured"))?;
196

197
    // Look up user
198
    let user = nix::unistd::User::from_name(username)?
199
        .ok_or_else(|| anyhow::anyhow!("User {} not found", username))?;
200

201
    // Set supplementary groups
202
    nix::unistd::setgroups(&[user.gid])?;
203

204
    // Drop to target group
205
    setgid(user.gid)?;
206

207
    // Drop to target user
208
    setuid(user.uid)?;
209

210
    info!("Dropped privileges to user: {}", username);
211
    Ok(())
212
}

Linux systemd Integration#

1
use super::*;
2
use sd_notify::{notify, NotifyState};
3
use nix::sys::signal::{self, Signal};
4
use tokio::signal::unix::{signal, SignalKind};
5

6
pub struct LinuxService {
7
    inner: SecurityService,
8
    systemd_enabled: bool,
9
}
10

11
impl LinuxService {
12
    pub fn new(config: Config) -> Result<Self> {
13
        let systemd_enabled = sd_notify::booted().unwrap_or(false);
14

15
        Ok(Self {
16
            inner: SecurityService::new(config)?,
17
            systemd_enabled,
18
        })
19
    }
20

21
    pub async fn run(mut self) -> Result<()> {
22
        // Initialize service
23
        self.inner.initialize().await?;
24

25
        // Setup signal handlers
26
        let mut sigterm = signal(SignalKind::terminate())?;
27
        let mut sigint = signal(SignalKind::interrupt())?;
28
        let mut sighup = signal(SignalKind::hangup())?;
29

30
        // Start service
31
        self.inner.start().await?;
32

33
        // Notify systemd we're ready
34
        if self.systemd_enabled {
35
            notify(&[NotifyState::Ready])?;
36

37
            // Send watchdog keepalive in background
38
            tokio::spawn(async {
39
                let mut interval = tokio::time::interval(
40
                    tokio::time::Duration::from_secs(30)
41
                );
42

43
                loop {
44
                    interval.tick().await;
45
                    let _ = notify(&[NotifyState::Watchdog]);
46
                }
47
            });
48
        }
49

50
        // Wait for signals
51
        loop {
52
            tokio::select! {
53
                _ = sigterm.recv() => {
54
                    info!("Received SIGTERM");
55
                    break;
56
                }
57
                _ = sigint.recv() => {
58
                    info!("Received SIGINT");
59
                    break;
60
                }
61
                _ = sighup.recv() => {
62
                    info!("Received SIGHUP, reloading configuration");
63
                    self.inner.handle_control_event(ControlEvent::Reload).await?;
64
                }
65
            }
66
        }
67

68
        // Notify systemd we're stopping
69
        if self.systemd_enabled {
70
            notify(&[NotifyState::Stopping])?;
71
        }
72

73
        // Stop service
74
        self.inner.stop().await?;
75

76
        Ok(())
77
    }
78
}
79

80
// systemd service file
81
pub const SYSTEMD_SERVICE: &str = r#"
82
[Unit]
83
Description=Security Monitoring Service
84
Documentation=https://example.com/docs
85
After=network-online.target
86
Wants=network-online.target
87

88
[Service]
89
Type=notify
90
ExecStart=/usr/local/bin/security-service
91
ExecReload=/bin/kill -HUP $MAINPID
92
KillMode=mixed
93
KillSignal=SIGTERM
94
Restart=on-failure
95
RestartSec=5s
96
WatchdogSec=60s
97

98
# Security hardening
99
User=security-service
100
Group=security-service
101
NoNewPrivileges=true
102
PrivateTmp=true
103
ProtectSystem=strict
104
ProtectHome=true
105
ReadWritePaths=/var/lib/security-service /var/log/security-service
106
ProtectKernelTunables=true
107
ProtectKernelModules=true
108
ProtectControlGroups=true
109
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
110
RestrictNamespaces=true
111
LockPersonality=true
112
MemoryDenyWriteExecute=true
113
RestrictRealtime=true
114
RestrictSUIDSGID=true
115
RemoveIPC=true
116
PrivateMounts=true
117

118
# Resource limits
119
LimitNOFILE=65535
120
LimitNPROC=512
121
MemoryMax=1G
122
CPUQuota=50%
123

124
[Install]
125
WantedBy=multi-user.target
126
"#;

Windows Service Integration#

1
use super::*;
2
use windows_service::{
3
    define_windows_service,
4
    service::{
5
        ServiceControl, ServiceControlAccept, ServiceExitCode,
6
        ServiceState, ServiceStatus, ServiceType,
7
    },
8
    service_control_handler::{self, ServiceControlHandlerResult},
9
    service_dispatcher,
10
};
11
use std::ffi::OsString;
12
use std::sync::Mutex;
13
use std::time::Duration;
14
use once_cell::sync::Lazy;
15

16
static SERVICE_CONTROL: Lazy<Mutex<Option<tokio::sync::mpsc::Sender<ControlEvent>>>> =
17
    Lazy::new(|| Mutex::new(None));
18

19
pub struct WindowsService {
20
    inner: SecurityService,
21
}
22

23
impl WindowsService {
24
    pub fn new(config: Config) -> Result<Self> {
25
        Ok(Self {
26
            inner: SecurityService::new(config)?,
27
        })
28
    }
29

30
    pub fn run() -> Result<()> {
31
        // Register service with Windows
32
        service_dispatcher::start("SecurityService", ffi_service_main)?;
33
        Ok(())
34
    }
35
}
36

37
define_windows_service!(ffi_service_main, service_main);
38

39
fn service_main(_arguments: Vec<OsString>) {
40
    if let Err(e) = run_service() {
41
        error!("Service error: {}", e);
42
    }
43
}
44

45
fn run_service() -> Result<()> {
46
    // Create runtime
47
    let runtime = tokio::runtime::Runtime::new()?;
48

49
    // Load configuration
50
    let config = runtime.block_on(Config::load())?;
51

52
    // Create service
53
    let mut service = WindowsService::new(config)?;
54

55
    // Create control channel
56
    let (control_tx, mut control_rx) = tokio::sync::mpsc::channel(16);
57

58
    // Store sender for control handler
59
    {
60
        let mut control = SERVICE_CONTROL.lock().unwrap();
61
        *control = Some(control_tx);
62
    }
63

64
    // Define control handler
65
    let event_handler = move |control_event| -> ServiceControlHandlerResult {
66
        match control_event {
67
            ServiceControl::Stop => {
68
                if let Some(tx) = SERVICE_CONTROL.lock().unwrap().as_ref() {
69
                    let _ = tx.blocking_send(ControlEvent::Stop);
70
                }
71
                ServiceControlHandlerResult::NoError
72
            }
73
            ServiceControl::Interrogate => ServiceControlHandlerResult::NoError,
74
            _ => ServiceControlHandlerResult::NotImplemented,
75
        }
76
    };
77

78
    // Register control handler
79
    let status_handle = service_control_handler::register(
80
        "SecurityService",
81
        event_handler,
82
    )?;
83

84
    // Report starting
85
    status_handle.set_service_status(ServiceStatus {
86
        service_type: ServiceType::OWN_PROCESS,
87
        current_state: ServiceState::StartPending,
88
        controls_accepted: ServiceControlAccept::empty(),
89
        exit_code: ServiceExitCode::Win32(0),
90
        checkpoint: 0,
91
        wait_hint: Duration::from_secs(10),
92
        process_id: None,
93
    })?;
94

95
    // Run service
96
    runtime.block_on(async {
97
        // Initialize
98
        service.inner.initialize().await?;
99

100
        // Start service
101
        service.inner.start().await?;
102

103
        // Report running
104
        status_handle.set_service_status(ServiceStatus {
105
            service_type: ServiceType::OWN_PROCESS,
106
            current_state: ServiceState::Running,
107
            controls_accepted: ServiceControlAccept::STOP,
108
            exit_code: ServiceExitCode::Win32(0),
109
            checkpoint: 0,
110
            wait_hint: Duration::default(),
111
            process_id: None,
112
        })?;
113

114
        // Wait for control events
115
        while let Some(event) = control_rx.recv().await {
116
            match event {
117
                ControlEvent::Stop => {
118
                    // Report stopping
119
                    status_handle.set_service_status(ServiceStatus {
120
                        service_type: ServiceType::OWN_PROCESS,
121
                        current_state: ServiceState::StopPending,
122
                        controls_accepted: ServiceControlAccept::empty(),
123
                        exit_code: ServiceExitCode::Win32(0),
124
                        checkpoint: 0,
125
                        wait_hint: Duration::from_secs(10),
126
                        process_id: None,
127
                    })?;
128

129
                    // Stop service
130
                    service.inner.stop().await?;
131

132
                    // Report stopped
133
                    status_handle.set_service_status(ServiceStatus {
134
                        service_type: ServiceType::OWN_PROCESS,
135
                        current_state: ServiceState::Stopped,
136
                        controls_accepted: ServiceControlAccept::empty(),
137
                        exit_code: ServiceExitCode::Win32(0),
138
                        checkpoint: 0,
139
                        wait_hint: Duration::default(),
140
                        process_id: None,
141
                    })?;
142

143
                    break;
144
                }
145
                _ => {
146
                    service.inner.handle_control_event(event).await?;
147
                }
148
            }
149
        }
150

151
        Ok::<(), anyhow::Error>(())
152
    })?;
153

154
    Ok(())
155
}

Configuration Management#

1
use serde::{Deserialize, Serialize};
2
use config::{Config as ConfigBuilder, ConfigError, Environment, File};
3
use std::path::PathBuf;
4
use validator::{Validate, ValidationError};
5

6
#[derive(Debug, Clone, Deserialize, Serialize, Validate)]
7
pub struct Config {
8
    #[validate]
9
    pub service: ServiceConfig,
10

11
    #[validate]
12
    pub security: SecurityConfig,
13

14
    #[validate]
15
    pub monitoring: MonitoringConfig,
16

17
    #[validate]
18
    pub api: ApiConfig,
19

20
    #[validate]
21
    pub logging: LoggingConfig,
22
}
23

24
#[derive(Debug, Clone, Deserialize, Serialize, Validate)]
25
pub struct ServiceConfig {
26
    #[validate(length(min = 1))]
27
    pub name: String,
28

29
    pub description: Option<String>,
30

31
    #[cfg(unix)]
32
    pub run_as_user: Option<String>,
33

34
    #[cfg(unix)]
35
    pub run_as_group: Option<String>,
36

37
    #[validate(range(min = 1024, max = 65535))]
38
    pub port: u16,
39

40
    pub bind_address: String,
41
}
42

43
#[derive(Debug, Clone, Deserialize, Serialize, Validate)]
44
pub struct SecurityConfig {
45
    pub tls_cert_path: PathBuf,
46
    pub tls_key_path: PathBuf,
47

48
    #[validate(range(min = 8, max = 128))]
49
    pub min_password_length: usize,
50

51
    pub require_mfa: bool,
52

53
    #[validate(range(min = 1, max = 86400))]
54
    pub session_timeout_seconds: u64,
55

56
    #[validate(range(min = 1, max = 100))]
57
    pub max_login_attempts: u32,
58

59
    pub allowed_origins: Vec<String>,
60
}
61

62
#[derive(Debug, Clone, Deserialize, Serialize, Validate)]
63
pub struct MonitoringConfig {
64
    #[validate(range(min = 1, max = 3600))]
65
    pub metrics_interval_seconds: u64,
66

67
    pub enable_prometheus: bool,
68

69
    #[validate(url)]
70
    pub prometheus_push_gateway: Option<String>,
71

72
    pub alert_thresholds: AlertThresholds,
73
}
74

75
#[derive(Debug, Clone, Deserialize, Serialize, Validate)]
76
pub struct AlertThresholds {
77
    #[validate(range(min = 0.0, max = 100.0))]
78
    pub cpu_percent: f64,
79

80
    #[validate(range(min = 0.0, max = 100.0))]
81
    pub memory_percent: f64,
82

83
    #[validate(range(min = 0, max = 100000))]
84
    pub error_rate_per_minute: u64,
85
}
86

87
#[derive(Debug, Clone, Deserialize, Serialize, Validate)]
88
pub struct ApiConfig {
89
    #[validate(range(min = 1, max = 10000))]
90
    pub rate_limit_per_minute: u32,
91

92
    #[validate(range(min = 1, max = 1000))]
93
    pub max_request_size_mb: usize,
94

95
    #[validate(range(min = 1, max = 300))]
96
    pub request_timeout_seconds: u64,
97
}
98

99
#[derive(Debug, Clone, Deserialize, Serialize, Validate)]
100
pub struct LoggingConfig {
101
    pub level: String,
102
    pub format: LogFormat,
103
    pub output: LogOutput,
104
    pub file_path: Option<PathBuf>,
105

106
    #[validate(range(min = 1, max = 1000))]
107
    pub max_file_size_mb: usize,
108

109
    #[validate(range(min = 1, max = 100))]
110
    pub max_files: usize,
111
}
112

113
#[derive(Debug, Clone, Deserialize, Serialize)]
114
#[serde(rename_all = "lowercase")]
115
pub enum LogFormat {
116
    Json,
117
    Pretty,
118
    Compact,
119
}
120

121
#[derive(Debug, Clone, Deserialize, Serialize)]
122
#[serde(rename_all = "lowercase")]
123
pub enum LogOutput {
124
    Stdout,
125
    File,
126
    Both,
127
}
128

129
impl Config {
130
    pub async fn load() -> Result<Self> {
131
        let config_dir = Self::get_config_dir()?;
132
        let environment = std::env::var("SERVICE_ENV")
133
            .unwrap_or_else(|_| "development".to_string());
134

135
        let config = ConfigBuilder::builder()
136
            // Start with default configuration
137
            .add_source(File::from(config_dir.join("default.toml")))
138
            // Layer on environment-specific config
139
            .add_source(
140
                File::from(config_dir.join(format!("{}.toml", environment)))
141
                    .required(false)
142
            )
143
            // Layer on environment variables
144
            .add_source(
145
                Environment::with_prefix("SECURITY_SERVICE")
146
                    .separator("__")
147
                    .try_parsing(true)
148
            )
149
            .build()?;
150

151
        let config: Config = config.try_deserialize()?;
152
        config.validate()?;
153

154
        Ok(config)
155
    }
156

157
    fn get_config_dir() -> Result<PathBuf> {
158
        // Check for explicit config directory
159
        if let Ok(dir) = std::env::var("CONFIG_DIR") {
160
            return Ok(PathBuf::from(dir));
161
        }
162

163
        // Use platform-specific defaults
164
        #[cfg(unix)]
165
        let config_dir = PathBuf::from("/etc/security-service");
166

167
        #[cfg(windows)]
168
        let config_dir = std::env::var("ProgramData")
169
            .map(|p| PathBuf::from(p).join("SecurityService"))
170
            .unwrap_or_else(|_| PathBuf::from("C:\\ProgramData\\SecurityService"));
171

172
        Ok(config_dir)
173
    }
174
}

Security Engine#

1
use anyhow::Result;
2
use std::sync::Arc;
3
use tokio::sync::RwLock;
4
use crate::config::Config;
5

6
pub struct SecurityEngine {
7
    threat_detector: Arc<ThreatDetector>,
8
    access_controller: Arc<AccessController>,
9
    audit_logger: Arc<AuditLogger>,
10
}
11

12
impl SecurityEngine {
13
    pub fn new() -> Result<Self> {
14
        Ok(Self {
15
            threat_detector: Arc::new(ThreatDetector::new()?),
16
            access_controller: Arc::new(AccessController::new()?),
17
            audit_logger: Arc::new(AuditLogger::new()?),
18
        })
19
    }
20

21
    pub async fn initialize(&self, config: &Config) -> Result<()> {
22
        self.threat_detector.initialize(config).await?;
23
        self.access_controller.initialize(config).await?;
24
        self.audit_logger.initialize(config).await?;
25
        Ok(())
26
    }
27

28
    pub async fn check_threats(&self) -> Result<()> {
29
        // Run threat detection logic
30
        let threats = self.threat_detector.scan().await?;
31

32
        // Log any detected threats
33
        for threat in threats {
34
            self.audit_logger.log_threat(&threat).await?;
35

36
            // Take action based on threat severity
37
            match threat.severity {
38
                ThreatSeverity::Critical => {
39
                    // Immediate response
40
                    self.respond_to_critical_threat(&threat).await?;
41
                }
42
                ThreatSeverity::High => {
43
                    // Alert administrators
44
                    self.alert_administrators(&threat).await?;
45
                }
46
                _ => {
47
                    // Log for analysis
48
                }
49
            }
50
        }
51

52
        Ok(())
53
    }
54

55
    pub async fn shutdown(&self) -> Result<()> {
56
        self.audit_logger.flush().await?;
57
        Ok(())
58
    }
59

60
    async fn respond_to_critical_threat(&self, threat: &Threat) -> Result<()> {
61
        // Implement immediate response logic
62
        // e.g., block IP, terminate process, isolate system
63
        Ok(())
64
    }
65

66
    async fn alert_administrators(&self, threat: &Threat) -> Result<()> {
67
        // Send alerts via configured channels
68
        // e.g., email, SMS, Slack, PagerDuty
69
        Ok(())
70
    }
71
}

Deployment Patterns#

Linux Deployment Script#

1
#!/bin/bash
2
set -euo pipefail
3

4
SERVICE_NAME="security-service"
5
SERVICE_USER="security-service"
6
INSTALL_DIR="/opt/security-service"
7
CONFIG_DIR="/etc/security-service"
8
LOG_DIR="/var/log/security-service"
9
DATA_DIR="/var/lib/security-service"
10

11
# Create service user
12
if ! id "$SERVICE_USER" &>/dev/null; then
13
    useradd --system --shell /bin/false --home-dir "$DATA_DIR" "$SERVICE_USER"
14
fi
15

16
# Create directories
17
mkdir -p "$INSTALL_DIR" "$CONFIG_DIR" "$LOG_DIR" "$DATA_DIR"
18

19
# Copy binary
20
cp target/release/security-service "$INSTALL_DIR/"
21
chmod 755 "$INSTALL_DIR/security-service"
22

23
# Copy configuration
24
cp config/*.toml "$CONFIG_DIR/"
25
chmod 640 "$CONFIG_DIR"/*.toml
26

27
# Set ownership
28
chown -R "$SERVICE_USER:$SERVICE_USER" "$LOG_DIR" "$DATA_DIR"
29
chown root:$SERVICE_USER "$CONFIG_DIR"
30

31
# Install systemd service
32
cp scripts/security-service.service /etc/systemd/system/
33
systemctl daemon-reload
34
systemctl enable security-service
35

36
echo "Security service installed successfully"
37
echo "Start with: systemctl start security-service"
38
echo "View logs: journalctl -u security-service -f"

Windows Deployment Script#

1
param(
2
    [Parameter(Mandatory=$false)]
3
    [string]$ServiceName = "SecurityService",
4

5
    [Parameter(Mandatory=$false)]
6
    [string]$InstallPath = "C:\Program Files\SecurityService"
7
)
8

9
# Require administrator privileges
10
if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
11
    Write-Error "This script must be run as Administrator."
12
    exit 1
13
}
14

15
# Create installation directory
16
New-Item -ItemType Directory -Force -Path $InstallPath
17
New-Item -ItemType Directory -Force -Path "$env:ProgramData\SecurityService"
18

19
# Copy files
20
Copy-Item "target\release\security-service.exe" -Destination $InstallPath
21
Copy-Item "config\*.toml" -Destination "$env:ProgramData\SecurityService"
22

23
# Install service
24
$binPath = Join-Path $InstallPath "security-service.exe"
25
New-Service -Name $ServiceName `
26
    -BinaryPathName $binPath `
27
    -DisplayName "Security Monitoring Service" `
28
    -Description "Enterprise security monitoring and threat detection" `
29
    -StartupType Automatic
30

31
# Configure service recovery
32
sc.exe failure $ServiceName reset= 86400 actions= restart/5000/restart/10000/restart/30000
33

34
Write-Host "Security service installed successfully"
35
Write-Host "Start with: Start-Service $ServiceName"
36
Write-Host "View logs: Get-EventLog -LogName Application -Source $ServiceName"

Performance Optimization#

Async Best Practices#

1
// Use bounded channels to prevent memory exhaustion
2
let (tx, rx) = tokio::sync::mpsc::channel(1000);
3

4
// Use select! for efficient event handling
5
tokio::select! {
6
    biased; // Process in order of priority
7

8
    result = high_priority_task() => {
9
        handle_high_priority(result);
10
    }
11
    result = normal_task() => {
12
        handle_normal(result);
13
    }
14
    _ = shutdown_signal() => {
15
        break;
16
    }
17
}
18

19
// Use buffer pools for zero-allocation processing
20
use bytes::{Bytes, BytesMut};
21
let pool = Arc::new(Mutex::new(Vec::new()));
22

23
// Batch operations for efficiency
24
let batch_size = 100;
25
let mut batch = Vec::with_capacity(batch_size);

Resource Management#

1
// Implement connection pooling
2
use deadpool::managed::{Manager, Pool};
3

4
// Configure thread pools appropriately
5
let runtime = tokio::runtime::Builder::new_multi_thread()
6
    .worker_threads(num_cpus::get())
7
    .thread_name("security-service")
8
    .enable_all()
9
    .build()?;
10

11
// Use resource limits
12
#[cfg(unix)]
13
{
14
    use rlimit::{Resource, setrlimit};
15
    setrlimit(Resource::NOFILE, 65535, 65535)?;
16
}

Security Hardening#

Input Validation#

1
use validator::Validate;
2

3
#[derive(Validate)]
4
struct SecurityRequest {
5
    #[validate(length(min = 1, max = 256))]
6
    #[validate(regex = "VALID_ID_REGEX")]
7
    id: String,
8

9
    #[validate(range(min = 0, max = 1000000))]
10
    count: u64,
11

12
    #[validate(custom = "validate_timestamp")]
13
    timestamp: i64,
14
}
15

16
fn validate_timestamp(timestamp: i64) -> Result<(), ValidationError> {
17
    let now = chrono::Utc::now().timestamp();
18
    if (now - timestamp).abs() > 300 { // 5 minutes
19
        return Err(ValidationError::new("timestamp_out_of_range"));
20
    }
21
    Ok(())
22
}

Secure Communication#

1
// TLS configuration
2
let tls_config = rustls::ServerConfig::builder()
3
    .with_safe_defaults()
4
    .with_no_client_auth()
5
    .with_single_cert(cert_chain, private_key)?;
6

7
// Certificate pinning
8
let mut root_store = rustls::RootCertStore::empty();
9
root_store.add(&expected_cert)?;

Monitoring and Observability#

Metrics Collection#

1
use prometheus::{Counter, Gauge, Histogram, Registry};
2

3
lazy_static! {
4
    static ref REQUEST_COUNTER: Counter = Counter::new(
5
        "security_service_requests_total",
6
        "Total number of requests"
7
    ).unwrap();
8

9
    static ref THREAT_GAUGE: Gauge = Gauge::new(
10
        "security_service_active_threats",
11
        "Number of active threats"
12
    ).unwrap();
13

14
    static ref RESPONSE_TIME: Histogram = Histogram::with_opts(
15
        prometheus::HistogramOpts::new(
16
            "security_service_response_seconds",
17
            "Response time in seconds"
18
        ).buckets(vec![0.001, 0.005, 0.01, 0.05, 0.1, 0.5, 1.0])
19
    ).unwrap();
20
}

Health Checks#

1
#[derive(Serialize)]
2
struct HealthStatus {
3
    status: &'static str,
4
    version: &'static str,
5
    uptime_seconds: u64,
6
    checks: HashMap<String, CheckResult>,
7
}
8

9
async fn health_check() -> Result<HealthStatus> {
10
    let mut checks = HashMap::new();
11

12
    // Database check
13
    checks.insert("database", check_database().await);
14

15
    // External service check
16
    checks.insert("threat_intel", check_threat_intel_api().await);
17

18
    // Resource check
19
    checks.insert("resources", check_system_resources().await);
20

21
    let overall_status = if checks.values().all(|c| c.healthy) {
22
        "healthy"
23
    } else {
24
        "degraded"
25
    };
26

27
    Ok(HealthStatus {
28
        status: overall_status,
29
        version: env!("CARGO_PKG_VERSION"),
30
        uptime_seconds: get_uptime(),
31
        checks,
32
    })
33
}

Testing Strategies#

Integration Tests#

1
#[cfg(test)]
2
mod tests {
3
    use super::*;
4
    use tempfile::TempDir;
5

6
    #[tokio::test]
7
    async fn test_service_lifecycle() {
8
        // Create test configuration
9
        let temp_dir = TempDir::new().unwrap();
10
        let config = create_test_config(&temp_dir);
11

12
        // Create service
13
        let mut service = SecurityService::new(config).unwrap();
14

15
        // Test initialization
16
        service.initialize().await.unwrap();
17
        assert_eq!(service.status(), ServiceStatus::Starting);
18

19
        // Test start
20
        service.start().await.unwrap();
21
        assert_eq!(service.status(), ServiceStatus::Running);
22

23
        // Test reload
24
        service.handle_control_event(ControlEvent::Reload)
25
            .await
26
            .unwrap();
27

28
        // Test stop
29
        service.stop().await.unwrap();
30
        assert_eq!(service.status(), ServiceStatus::Stopped);
31
    }
32
}

Conclusion#

Building cross-platform security services in Rust requires careful attention to platform-specific details while maintaining a clean, unified architecture. By leveraging Rust’s type system, async runtime, and security features, we can create robust services that run reliably across different operating systems.

Key takeaways:

Abstract platform differences behind clean interfaces
Use async/await for efficient resource utilization
Implement comprehensive security measures from the start
Build observability into the service architecture
Test thoroughly on all target platforms

Ready to implement advanced security monitoring? Check out our next article on Building Production eBPF Security Monitors where we’ll combine eBPF with our service architecture.