mirror of
https://github.com/systemd/systemd.git
synced 2024-11-01 17:51:22 +03:00
4b4a8ef741
The new option --json= works with the 'security' verb and takes in one of three format flags.
These are off which is the default, pretty and short which use JSON format flags for output.
When set to true, it generates a JSON formatted output of the security analysis table. The
format is a JSON array with objects containing the following fields: set which indicates if
the id has been set or not, name which is what is used to refer to the id, json_field
which is the equivalent JSON formatted id name only used for JSON outputs, description which
is an outline of the id state, and exposure which is an unsigned integer in the range 0.0..10.0,
where a higher value corresponds to a higher security threat. The JSON version of the table is
printed on the standard output file.
Example Run:
The unit file testfile.service was created to test the --json= option
maanya-goenka@debian:~/systemd (json-security)$ cat <<EOF >testfile.service
> [Service]
> ExecStart = echo hello
> PrivateNetwork = yes
> PrivateMounts = yes
> PrivateDevices = yes
> EOF
Both the JSON output and the security analysis table below have been truncated to increase readability.
1. Testing for when --json=off
maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=off --root= --offline=true
testfile.service --no-pager
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
NAME DESCRIPTION EXPOSURE
✓ PrivateNetwork= Service has no access to the host's network
✗ User=/DynamicUser= Service runs as root user 0.4
✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capabilities 0.3
✗ CapabilityBoundingSet=~CAP_NET_ADMIN Service has administrator privileges 0.3
→ Overall exposure level for testfile.service: 8.3 EXPOSED 🙁
2. Testing for when --json=pretty
maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=pretty --root= --offline=true
testfile.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
[
{
"set" : true,
"name" : "PrivateNetwork=",
"json-field" : "PrivateNetwork",
"description" : "Service has no access to the host's network",
"exposure" : null
},
{
"set" : false,
"name" : "User=/DynamicUser=",
"json-field" : "UserOrDynamicUser",
"decsription" : "Service runs as root user",
"exposure" : "0.4"
},
{
"set" : false,
"name" : "CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)",
"json_field" : "CapabilityBoundingSet_CAP_SET_UID_GID_PCAP",
"description" : "Service may change UID/GID identities/capabilities",
"exposure" : "0.3"
},
{
"set" : false,
"name" : "CapabilityBoundingSet=~CAP_NET_ADMIN",
"json_field" : "CapabilityBoundingSet_CAP_NET_ADMIN",
"description" : "Service has administrator privileges",
"exposure" : "0.3"
},
...
]
3. Testing for when --json=short
maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=short --root= --offline=true
testfile.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring.
[{"set":true,"name":"PrivateNetwork=", "json_field":"PrivateNetwork", "description":"Service has no access to the host's network","exposure":null}, ...]
107 lines
4.7 KiB
Plaintext
107 lines
4.7 KiB
Plaintext
#compdef systemd-analyze
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
|
(( $+functions[_systemd-analyze_log-level] )) ||
|
|
_systemd-analyze_log-level() {
|
|
local -a _levels
|
|
_levels=(debug info notice warning err crit alert emerg)
|
|
_describe -t level 'logging level' _levels || compadd "$@"
|
|
}
|
|
|
|
(( $+functions[_systemd-analyze_log-target] )) ||
|
|
_systemd-analyze_log-target() {
|
|
local -a _targets
|
|
_targets=(console journal kmsg journal-or-kmsg null)
|
|
_describe -t target 'logging target' _targets || compadd "$@"
|
|
}
|
|
|
|
(( $+functions[_systemd-analyze_verify] )) ||
|
|
_systemd-analyze_verify() {
|
|
_sd_unit_files
|
|
}
|
|
|
|
(( $+functions[_systemd-analyze_service-watchdogs] )) ||
|
|
_systemd-analyze_service-watchdogs() {
|
|
local -a _states
|
|
_states=(on off)
|
|
_describe -t state 'state' _states || compadd "$@"
|
|
}
|
|
|
|
(( $+functions[_systemd-analyze_cat-config] )) ||
|
|
_systemd-analyze_cat-config() {
|
|
_files -W '(/run/systemd/ /etc/systemd/ /usr/lib/systemd/)' -P 'systemd/'
|
|
}
|
|
|
|
(( $+functions[_systemd-analyze_security] )) ||
|
|
_systemd-analyze_security() {
|
|
_sd_unit_files
|
|
}
|
|
|
|
(( $+functions[_systemd-analyze_commands] )) ||
|
|
_systemd-analyze_commands(){
|
|
local -a _systemd_analyze_cmds
|
|
# Descriptions taken from systemd-analyze --help.
|
|
_systemd_analyze_cmds=(
|
|
'time:Print time spent in the kernel before reaching userspace'
|
|
'blame:Print list of running units ordered by time to init'
|
|
'critical-chain:Print a tree of the time critical chain of units'
|
|
'plot:Output SVG graphic showing service initialization'
|
|
'dot:Dump dependency graph (in dot(1) format)'
|
|
'dump:Dump server status'
|
|
'cat-config:Cat systemd config files'
|
|
'unit-files:List files and symlinks for units'
|
|
'unit-paths:List unit load paths'
|
|
'exit-status:List known exit statuses'
|
|
'syscall-filter:List syscalls in seccomp filter'
|
|
'condition:Evaluate Condition*= and Assert*= assignments'
|
|
'verify:Check unit files for correctness'
|
|
'calendar:Validate repetitive calendar time events'
|
|
'timestamp:Parse a systemd syntax timestamp'
|
|
'timespan:Parse a systemd syntax timespan'
|
|
'security:Analyze security settings of a service'
|
|
# 'log-level:Get/set systemd log threshold'
|
|
# 'log-target:Get/set systemd log target'
|
|
# 'service-watchdogs:Get/set service watchdog status'
|
|
)
|
|
|
|
if (( CURRENT == 1 )); then
|
|
_describe "options" _systemd_analyze_cmds
|
|
else
|
|
local curcontext="$curcontext"
|
|
cmd="${${_systemd_analyze_cmds[(r)$words[1]:*]%%:*}}"
|
|
if (( $#cmd )); then
|
|
if (( $+functions[_systemd-analyze_$cmd] )) && (( CURRENT == 2 )); then
|
|
_systemd-analyze_$cmd
|
|
else
|
|
_message "no more options"
|
|
fi
|
|
else
|
|
_message "unknown systemd-analyze command: $words[1]"
|
|
fi
|
|
fi
|
|
}
|
|
|
|
_arguments \
|
|
{-h,--help}'[Show help text]' \
|
|
'--version[Show package version]' \
|
|
'--system[Operate on system systemd instance]' \
|
|
'--user[Operate on user systemd instance]' \
|
|
'--global[Show global user instance config]' \
|
|
'--root=[Add support for root argument]:PATH' \
|
|
'--image=[Add support for discrete images]:PATH' \
|
|
'--recursive-errors=[When verifying a unit, control dependency verification]:MODE' \
|
|
'--offline=[Perform a security review of the specified unit file(s)]:BOOL' \
|
|
'--threshold=[Set a value to compare the overall security exposure level with]: NUMBER' \
|
|
'--security-policy=[Allow user to use customized requirements to compare unit file(s) against]: PATH' \
|
|
'--json=[Generate a JSON output of the security analysis table]:MODE:(pretty short off)' \
|
|
'--no-pager[Do not pipe output into a pager]' \
|
|
'--man=[Do (not) check for existence of man pages]:boolean:(1 0)' \
|
|
'--order[When generating graph for dot, show only order]' \
|
|
'--require[When generating graph for dot, show only requirement]' \
|
|
'--fuzz=[When printing the tree of the critical chain, print also services, which finished TIMESPAN earlier, than the latest in the branch]:TIMESPAN' \
|
|
'--from-pattern=[When generating a dependency graph, filter only origins]:GLOB' \
|
|
'--to-pattern=[When generating a dependency graph, filter only destinations]:GLOB' \
|
|
{-H+,--host=}'[Operate on remote host]:userathost:_sd_hosts_or_user_at_host' \
|
|
{-M+,--machine=}'[Operate on local container]:machine:_sd_machines' \
|
|
'*::systemd-analyze commands:_systemd-analyze_commands'
|