mirror of
https://github.com/systemd/systemd.git
synced 2024-12-26 03:22:00 +03:00
dfbda8799c
--threshold option added to work with security verb and with the --offline option so that users can determine what qualifies as a security threat. The threshold set by the user is compared with the overall exposure level assigned to a unit file and if the exposure is higher than the threshold, 'security' will return a non-zero exit status. The default value of the --threshold option is 100. Example Run: 1. testcase.service is a unit file created for testing the --threshold option maanya-goenka@debian:~/systemd (systemd-security)$ cat<<EOF>testcase.service > [Service] > ExecStart = echo hello > EOF For the purposes of this demo, the security table outputted below has been cut to show only the first two security settings. maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION EXPOSURE ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ User=/DynamicUser= Service runs as root user 0.4 → Overall exposure level for testcase.service: 9.6 UNSAFE 😨 maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0 2. Next, we use the same testcase.service file but add an additional --threshold=60 parameter. We would expect 'security' to exit with a non-zero status because the overall exposure level (= 96) is higher than the set threshold (= 60). maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true --threshold=60 testcase.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION EXPOSURE ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ User=/DynamicUser= Service runs as root user 0.4 → Overall exposure level for testcase.service: 9.6 UNSAFE 😨 maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 1 |
||
---|---|---|
.. | ||
bootctl | ||
busctl | ||
coredumpctl | ||
homectl | ||
hostnamectl | ||
journalctl | ||
kernel-install | ||
localectl | ||
loginctl | ||
machinectl | ||
meson.build | ||
networkctl | ||
portablectl | ||
resolvectl | ||
systemctl.in | ||
systemd-analyze | ||
systemd-cat | ||
systemd-cgls | ||
systemd-cgtop | ||
systemd-delta | ||
systemd-detect-virt | ||
systemd-id128 | ||
systemd-nspawn | ||
systemd-path | ||
systemd-resolve | ||
systemd-run | ||
timedatectl | ||
udevadm |