mirror of
https://github.com/systemd/systemd.git
synced 2025-02-09 13:57:42 +03:00
dfbda8799c
--threshold option added to work with security verb and with the --offline option so that
users can determine what qualifies as a security threat. The threshold set by the user is
compared with the overall exposure level assigned to a unit file and if the exposure is
higher than the threshold, 'security' will return a non-zero exit status. The default value
of the --threshold option is 100.
Example Run:
1. testcase.service is a unit file created for testing the --threshold option
maanya-goenka@debian:~/systemd (systemd-security)$ cat<<EOF>testcase.service
> [Service]
> ExecStart = echo hello
> EOF
For the purposes of this demo, the security table outputted below has been cut to show only the first two security settings.
maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ User=/DynamicUser= Service runs as root user 0.4
→ Overall exposure level for testcase.service: 9.6 UNSAFE 😨
maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0
2. Next, we use the same testcase.service file but add an additional --threshold=60 parameter. We would expect 'security' to exit
with a non-zero status because the overall exposure level (= 96) is higher than the set threshold (= 60).
maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true --threshold=60 testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ User=/DynamicUser= Service runs as root user 0.4
→ Overall exposure level for testcase.service: 9.6 UNSAFE 😨
maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 1
105 lines
4.5 KiB
Plaintext
105 lines
4.5 KiB
Plaintext
#compdef systemd-analyze
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
|
(( $+functions[_systemd-analyze_log-level] )) ||
|
|
_systemd-analyze_log-level() {
|
|
local -a _levels
|
|
_levels=(debug info notice warning err crit alert emerg)
|
|
_describe -t level 'logging level' _levels || compadd "$@"
|
|
}
|
|
|
|
(( $+functions[_systemd-analyze_log-target] )) ||
|
|
_systemd-analyze_log-target() {
|
|
local -a _targets
|
|
_targets=(console journal kmsg journal-or-kmsg null)
|
|
_describe -t target 'logging target' _targets || compadd "$@"
|
|
}
|
|
|
|
(( $+functions[_systemd-analyze_verify] )) ||
|
|
_systemd-analyze_verify() {
|
|
_sd_unit_files
|
|
}
|
|
|
|
(( $+functions[_systemd-analyze_service-watchdogs] )) ||
|
|
_systemd-analyze_service-watchdogs() {
|
|
local -a _states
|
|
_states=(on off)
|
|
_describe -t state 'state' _states || compadd "$@"
|
|
}
|
|
|
|
(( $+functions[_systemd-analyze_cat-config] )) ||
|
|
_systemd-analyze_cat-config() {
|
|
_files -W '(/run/systemd/ /etc/systemd/ /usr/lib/systemd/)' -P 'systemd/'
|
|
}
|
|
|
|
(( $+functions[_systemd-analyze_security] )) ||
|
|
_systemd-analyze_security() {
|
|
_sd_unit_files
|
|
}
|
|
|
|
(( $+functions[_systemd-analyze_commands] )) ||
|
|
_systemd-analyze_commands(){
|
|
local -a _systemd_analyze_cmds
|
|
# Descriptions taken from systemd-analyze --help.
|
|
_systemd_analyze_cmds=(
|
|
'time:Print time spent in the kernel before reaching userspace'
|
|
'blame:Print list of running units ordered by time to init'
|
|
'critical-chain:Print a tree of the time critical chain of units'
|
|
'plot:Output SVG graphic showing service initialization'
|
|
'dot:Dump dependency graph (in dot(1) format)'
|
|
'dump:Dump server status'
|
|
'cat-config:Cat systemd config files'
|
|
'unit-files:List files and symlinks for units'
|
|
'unit-paths:List unit load paths'
|
|
'exit-status:List known exit statuses'
|
|
'syscall-filter:List syscalls in seccomp filter'
|
|
'condition:Evaluate Condition*= and Assert*= assignments'
|
|
'verify:Check unit files for correctness'
|
|
'calendar:Validate repetitive calendar time events'
|
|
'timestamp:Parse a systemd syntax timestamp'
|
|
'timespan:Parse a systemd syntax timespan'
|
|
'security:Analyze security settings of a service'
|
|
# 'log-level:Get/set systemd log threshold'
|
|
# 'log-target:Get/set systemd log target'
|
|
# 'service-watchdogs:Get/set service watchdog status'
|
|
)
|
|
|
|
if (( CURRENT == 1 )); then
|
|
_describe "options" _systemd_analyze_cmds
|
|
else
|
|
local curcontext="$curcontext"
|
|
cmd="${${_systemd_analyze_cmds[(r)$words[1]:*]%%:*}}"
|
|
if (( $#cmd )); then
|
|
if (( $+functions[_systemd-analyze_$cmd] )) && (( CURRENT == 2 )); then
|
|
_systemd-analyze_$cmd
|
|
else
|
|
_message "no more options"
|
|
fi
|
|
else
|
|
_message "unknown systemd-analyze command: $words[1]"
|
|
fi
|
|
fi
|
|
}
|
|
|
|
_arguments \
|
|
{-h,--help}'[Show help text]' \
|
|
'--version[Show package version]' \
|
|
'--system[Operate on system systemd instance]' \
|
|
'--user[Operate on user systemd instance]' \
|
|
'--global[Show global user instance config]' \
|
|
'--root=[Add support for root argument]:PATH' \
|
|
'--image=[Add support for discrete images]:PATH' \
|
|
'--recursive-errors=[When verifying a unit, control dependency verification]:MODE' \
|
|
'--offline=[Perform a security review of the specified unit file(s)]:BOOL' \
|
|
'--threshold=[Set a value to compare the overall security exposure level with]: NUMBER' \
|
|
'--no-pager[Do not pipe output into a pager]' \
|
|
'--man=[Do (not) check for existence of man pages]:boolean:(1 0)' \
|
|
'--order[When generating graph for dot, show only order]' \
|
|
'--require[When generating graph for dot, show only requirement]' \
|
|
'--fuzz=[When printing the tree of the critical chain, print also services, which finished TIMESPAN earlier, than the latest in the branch]:TIMESPAN' \
|
|
'--from-pattern=[When generating a dependency graph, filter only origins]:GLOB' \
|
|
'--to-pattern=[When generating a dependency graph, filter only destinations]:GLOB' \
|
|
{-H+,--host=}'[Operate on remote host]:userathost:_sd_hosts_or_user_at_host' \
|
|
{-M+,--machine=}'[Operate on local container]:machine:_sd_machines' \
|
|
'*::systemd-analyze commands:_systemd-analyze_commands'
|