mirror of
https://github.com/systemd/systemd.git
synced 2024-11-01 17:51:22 +03:00
ecfd082b71
A new option --security-policy= is added to work with the 'security' verb in order to enable users to create and pass in a JSON file consisting of user defined requirements against which to compare the specified unit file(s). These requirements then serve as the measure of security threats for the file instead of the initial hard coded set of requirements that the 'security' verb of systemd-analyze relied on. Example Run: A snapshot of the user defined testfile.json file is shown below instead of the complete file for readability purposes. { "PrivateDevices": {"description_good": "Service has no access to hardware devices", "description_bad": "Service potentially has access to hardware devices", "weight": 1000, "range": 1 }, "PrivateMounts": {"description_good": "Service cannot install system mounts", "description_bad": "Service may install system mounts", "weight": 1000, "range": 1 }, "PrivateNetwork": {"description_good": "Service has no access to the host's network", "description_bad": "Service has access to the host's network", "weight": 2500, "range": 1 }, "PrivateTmp": {"description_good": "Service has no access to other software's temporary files", "description_bad": "Service has access to other software's temporary files", "weight": 1000, "range": 1 }, "PrivateUsers": {"description_good": "Service does not have access to other users", "description_bad": "Service has access to other users", "weight": 1000, "range": 1 } } 1. I created the jsontest.service file in order to test the --security-policy= option as follows: maanya-goenka@debian:~/systemd (custom-security)$ cat<<EOF>jsontest.service > [Service] > ExecStart = echo hello > PrivateNetwork = yes > PrivateDevices = yes > PrivateMounts = yes > EOF The security analysis table outputted below has been truncated to include only the first few lines for readability. maanya-goenka@debian:~/systemd (custom-security)$ sudo build/systemd-analyze security --root= --offline=true --security-policy=src/analyze/testfile.json jsontest.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION ✓ PrivateNetwork Service has no access to the host's network ✗ UserOrDynamicUser Service runs as root user ✗ CapabilityBoundingSet_CAP_SET_UID_GID_PCAP Service may change UID/GID identities/capabilities ✓ PrivateMounts Service cannot install system mounts ✓ PrivateDevices Service has no access to hardware devices → Overall exposure level for jsontest.service: 8.3 EXPOSED 🙁 maanya-goenka@debian:~/systemd (custom-security)$ echo $? 0 2. In order to ensure that the JSON data was actually being correctly parsed, I made some changes to the JSON file, specifically to the id "PrivateNetwork" as follows: Before: -------- "PrivateNetwork": {"description_good": "Service has no access to the host's network", "description_bad": "Service has access to the host's network", "weight": 2500, "range": 1 } After: -------- "PrivateNetwork": {"description_good": "Service runs without access to host network", "description_bad": "Service has access to the host's network", "weight": 6000, "range": 1 } As expected, the new description for the description_good field of the Private Network id was updated in the analysis table outputted below and the overall exposure level of the unit file decreased because the weight assigned to 'Private Network' (which is set to yes) increased from 2500 to 6000. maanya-goenka@debian:~/systemd (custom-security)$ sudo build/systemd-analyze security --root= --offline=true --security-policy=src/analyze/testfile.json jsontest.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION ✓ PrivateNetwork Service runs without access to the host's network ✗ UserOrDynamicUser Service runs as root user ✗ CapabilityBoundingSet_CAP_SET_UID_GID_PCAP Service may change UID/GID identities/capabilities ✓ PrivateMounts Service cannot install system mounts ✓ PrivateDevices Service has no access to hardware devices → Overall exposure level for jsontest.service: 7.8 EXPOSED 🙁 maanya-goenka@debian:~/systemd (custom-security)$ echo $? 0 3. When paired with security's --threshold= option, systemd-analyze exits with a non-zero error status indicating that the overall exposure level for the unit file (=78) is greater than the set threshold (=70). The same jsontest.service file is used for the demo run below: maanya-goenka@debian:~/systemd (custom-security)$ sudo build/systemd-analyze security --root= --offline=true --security-policy=src/analyze/testfile.json --threshold=70 jsontest.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION ✓ PrivateNetwork Service runs without access to host network ✗ UserOrDynamicUser Service runs as root user ✗ CapabilityBoundingSet_CAP_SET_UID_GID_PCAP Service may change UID/GID identities/capabilities ✓ PrivateMounts Service cannot install system mounts ✓ PrivateDevices Service has no access to hardware devices → Overall exposure level for jsontest.service: 7.8 EXPOSED 🙁 maanya-goenka@debian:~/systemd (custom-security)$ echo $? 1 new option |
||
---|---|---|
.. | ||
bootctl | ||
busctl | ||
coredumpctl | ||
homectl | ||
hostnamectl | ||
journalctl | ||
kernel-install | ||
localectl | ||
loginctl | ||
machinectl | ||
meson.build | ||
networkctl | ||
portablectl | ||
resolvectl | ||
systemctl.in | ||
systemd-analyze | ||
systemd-cat | ||
systemd-cgls | ||
systemd-cgtop | ||
systemd-delta | ||
systemd-detect-virt | ||
systemd-id128 | ||
systemd-nspawn | ||
systemd-path | ||
systemd-resolve | ||
systemd-run | ||
timedatectl | ||
udevadm |