mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-10 01:17:44 +03:00
Merge pull request #21237 from bluca/analyze_skip
analyze: allow a custom policy to skip a check
This commit is contained in:
commit
5df64f148d
@ -1075,9 +1075,14 @@ Service b@0.service not loaded, b.socket cannot be started.
|
||||
corresponding to a specific id of the unit file is missing from the JSON object, the
|
||||
default built-in field value corresponding to that same id is used for security analysis
|
||||
as default. The weight and range fields are used in determining the overall exposure level
|
||||
of the unit files so by allowing users to manipulate these fields, 'security' gives them
|
||||
the option to decide for themself which ids are more important and hence, should have a greater
|
||||
effect on the exposure level. </para>
|
||||
of the unit files: the value of each setting is assigned a badness score, which is multiplied
|
||||
by the policy weight and divided by the policy range to determine the overall exposure that
|
||||
the setting implies. The computed badness is summed across all settings in the unit file,
|
||||
normalized to the 1…100 range, and used to determine the overall exposure level of the unit.
|
||||
By allowing users to manipulate these fields, the 'security' verb gives them the option to
|
||||
decide for themself which ids are more important and hence should have a greater effect on
|
||||
the exposure level. A weight of <literal>0</literal> means the setting will not be
|
||||
checked.</para>
|
||||
|
||||
<programlisting>
|
||||
{
|
||||
|
@ -1764,6 +1764,11 @@ static int assess(const SecurityInfo *info,
|
||||
d = strdup("Service runs in special boot phase, option is not appropriate");
|
||||
if (!d)
|
||||
return log_oom();
|
||||
} else if (weight == 0) {
|
||||
badness = UINT64_MAX;
|
||||
d = strdup("Option excluded by policy, skipping");
|
||||
if (!d)
|
||||
return log_oom();
|
||||
} else {
|
||||
r = a->assess(a, info, data, &badness, &d);
|
||||
if (r < 0)
|
||||
|
@ -106,9 +106,9 @@ systemd-analyze security --threshold=90 --offline=true --root=/tmp/img/ testfile
|
||||
# set to 'yes' (as above in the case of testfile.service) in the content of the unit file, the overall exposure
|
||||
# level for the unit file should decrease to account for that increased weight.
|
||||
cat <<EOF >/tmp/testfile.json
|
||||
{"User_Or_DynamicUser":
|
||||
{"UserOrDynamicUser":
|
||||
{"description_bad": "Service runs as root user",
|
||||
"weight": 2000,
|
||||
"weight": 0,
|
||||
"range": 10
|
||||
},
|
||||
"SupplementaryGroups":
|
||||
@ -192,7 +192,7 @@ cat <<EOF >/tmp/testfile.json
|
||||
{"weight": 1000,
|
||||
"range": 10
|
||||
},
|
||||
"RootDirectory_Or_RootImage":
|
||||
"RootDirectoryOrRootImage":
|
||||
{"description_good": "Service has its own root directory/image",
|
||||
"description_bad": "Service runs within the host's root directory",
|
||||
"weight": 200,
|
||||
|
Loading…
Reference in New Issue
Block a user