1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-05 09:17:44 +03:00
systemd-stable/shell-completion/bash
Maanya Goenka 4b4a8ef741 systemd-analyze: add new option to generate JSON output of security analysis table
The new option --json= works with the 'security' verb and takes in one of three format flags.
These are off which is the default, pretty and short which use JSON format flags for output.
When set to true, it generates a JSON formatted output of the security analysis table. The
format is a JSON array with objects containing the following fields: set which indicates if
the id has been set or not, name which is what is used to refer to the id, json_field
which is the equivalent JSON formatted id name only used for JSON outputs, description which
is an outline of the id state, and exposure which is an unsigned integer in the range 0.0..10.0,
where a higher value corresponds to a higher security threat. The JSON version of the table is
printed on the standard output file.

Example Run:

The unit file testfile.service was created to test the --json= option

maanya-goenka@debian:~/systemd (json-security)$ cat <<EOF >testfile.service

> [Service]
> ExecStart = echo hello
> PrivateNetwork = yes
> PrivateMounts = yes
> PrivateDevices = yes
> EOF

Both the JSON output and the security analysis table below have been truncated to increase readability.
1. Testing for when --json=off

maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=off --root= --offline=true
testfile.service --no-pager

/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring.

    NAME                                                      DESCRIPTION                                                       EXPOSURE
✓   PrivateNetwork=                                           Service has no access to the host's network
✗   User=/DynamicUser=                                        Service runs as root user                                              0.4
✗   CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)              Service may change UID/GID identities/capabilities                     0.3
✗   CapabilityBoundingSet=~CAP_NET_ADMIN                      Service has administrator privileges                                   0.3

→ Overall exposure level for testfile.service: 8.3 EXPOSED 🙁

2. Testing for when --json=pretty

maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=pretty --root= --offline=true
testfile.service

/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring.

[
        {
                "set" : true,
                "name" : "PrivateNetwork=",
		"json-field" : "PrivateNetwork",
                "description" : "Service has no access to the host's network",
                "exposure" : null
        },
        {
                "set" : false,
                "name" : "User=/DynamicUser=",
		"json-field" : "UserOrDynamicUser",
                "decsription" : "Service runs as root user",
                "exposure" : "0.4"
        },
        {
                "set" : false,
                "name" : "CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)",
		"json_field" : "CapabilityBoundingSet_CAP_SET_UID_GID_PCAP",
                "description" : "Service may change UID/GID identities/capabilities",
                "exposure" : "0.3"
        },
        {
                "set" : false,
                "name" : "CapabilityBoundingSet=~CAP_NET_ADMIN",
		"json_field" : "CapabilityBoundingSet_CAP_NET_ADMIN",
                "description" : "Service has administrator privileges",
                "exposure" : "0.3"
        },
        ...
]

3. Testing for when --json=short

maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=short --root= --offline=true
testfile.service

/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring.

[{"set":true,"name":"PrivateNetwork=", "json_field":"PrivateNetwork", "description":"Service has no access to the host's network","exposure":null}, ...]
2021-09-06 19:55:27 +01:00
..
bootctl completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
busctl completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
coredumpctl completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
homectl completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
hostnamectl completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
journalctl license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
kernel-install license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
localectl completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
loginctl completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
machinectl completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
meson.build meson: use a/b instead of join_paths(a,b) 2021-07-27 19:32:35 +02:00
networkctl completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
portablectl completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
resolvectl completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
systemctl.in completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
systemd-analyze systemd-analyze: add new option to generate JSON output of security analysis table 2021-09-06 19:55:27 +01:00
systemd-cat bash-completion: localize words and cword variables 2021-04-06 16:15:13 +02:00
systemd-cgls bash-completion: localize words and cword variables 2021-04-06 16:15:13 +02:00
systemd-cgtop bash-completion: localize words and cword variables 2021-04-06 16:15:13 +02:00
systemd-delta completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
systemd-detect-virt bash-completion: localize words and cword variables 2021-04-06 16:15:13 +02:00
systemd-id128 completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
systemd-nspawn bash: update shell completion for new nspawn option 2021-05-07 22:44:35 +02:00
systemd-path bash-completion: localize words and cword variables 2021-04-06 16:15:13 +02:00
systemd-resolve completion/systemd-delta,-resolve: autocomplete with parameters 2021-06-22 14:56:47 +01:00
systemd-run Revert "Introduce ExitType" 2021-06-30 21:56:47 +02:00
timedatectl completion: fix 'unbound variables' errors 2021-06-22 14:56:47 +01:00
udevadm udevadm: introduce -a|--action option for test-builtin command 2021-08-18 00:08:08 +09:00