systemd

mirror of https://github.com/systemd/systemd.git synced 2024-12-26 02:23:34 +08:00

Go to file

Maanya Goenka bb43d85319 systemd-analyze: 'security' option to perform offline reviews of the specified unit file(s) New option --offline which works with the 'security' command and takes in a boolean value. When set to true, it performs an offline security review of the specified unit file(s). It does not rely on PID 1 to acquire security information for the files like 'security' when used by itself does. It makes use of the refactored security_info struct instead (commit #8cd669d3d3cf1b5e8667acc46ba290a9e8a8e529). This means that --offline can be used with --image and --root as well. When used with --threshold, if a unit's overall exposure level is above that set by the user, the default value being 100, --offline returns a non-zero exit status. Example Run: 1. testcase.service is a unit file created for testing the --offline option maanya-goenka@debian:~/systemd (systemd-security)$ cat<<EOF>testcase.service > [Service] > ExecStart = echo hello > EOF For the purposes of this demo, the security table outputted below has been cut to show only the first two security settings. maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION EXPOSURE ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ User=/DynamicUser= Service runs as root user 0.4 → Overall exposure level for testcase.service: 9.6 UNSAFE 😨 maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0 2. The testcase.service unit file is modified to set PrivateNetwork to "yes". This reduces the exposure level from 9.6 to 9.1. maanya-goenka@debian:~/systemd (systemd-security)$ nano testcase.service > [Service] > ExecStart = echo hello > PrivateNetwork = yes > EOF maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION EXPOSURE ✓ PrivateNetwork= Service has access to the host's network ✗ User=/DynamicUser= Service runs as root user 0.4 → Overall exposure level for testcase.service: 9.1 UNSAFE 😨 maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0 3. Next, we use the same testcase.service unit file but add the additional --threshold=60 option to see how --threshold works with --offline. Since the overall exposure level is 91 which is greater than the threshold value set by the user (= 60), we can expect a non-zero exit status. maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true --threshold=60 testcase.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION EXPOSURE ✓ PrivateNetwork= Service has access to the host's network ✗ User=/DynamicUser= Service runs as root user 0.4 → Overall exposure level for testcase.service: 9.1 UNSAFE 😨 maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 1		2021-08-20 10:59:13 -07:00
.github	ci: Add openSUSE Tumbleweed among tested distros	2021-08-04 11:16:48 +02:00
.lgtm/cpp-queries	lgtm: complain about accept() [people should use accept4() instead, due to O_CLOEXEC]	2019-04-10 20:03:38 +02:00
.mkosi	mkosi: Fix openSUSE Jinja2 package name	2021-07-09 10:49:30 +02:00
.semaphore	ci: drop py2 lxml, pull in jinja2	2021-05-19 10:25:26 +09:00
catalog	units: added factory-reset.target	2021-08-10 17:08:00 +02:00
coccinelle	coccinelle: filter out a couple of 'false-positive' transformations	2021-03-18 11:59:53 +01:00
docs	docs: portable services are no longer in preview	2021-08-18 11:30:53 +02:00
factory/etc	pam: fix typo try_authtok → use_authtok	2021-05-12 12:14:17 +02:00
hwdb.d	hwdb: Add Lenovo Thinkpad P14s Gen1/2 rule	2021-08-10 13:28:18 +09:00
man	systemd-analyze: 'security' option to perform offline reviews of the specified unit file(s)	2021-08-20 10:59:13 -07:00
mkosi.default.d	mkosi: Enable InstallDirectory and SourceFileTransferFinal options	2021-01-06 23:28:34 +00:00
modprobe.d	meson: install the right README file in modprobe.d	2021-07-07 14:52:05 +02:00
network	meson: use a/b instead of join_paths(a,b)	2021-07-27 19:32:35 +02:00
po	po: Translated using Weblate (Sinhala)	2021-08-19 17:27:50 +09:00
presets	boot: optionally update sd-boot on boot	2021-07-30 17:19:55 +02:00
rules.d	udev: Fix by-uuid symlink for ubifs volumes	2021-07-02 14:26:18 +01:00
shell-completion	systemd-analyze: 'security' option to perform offline reviews of the specified unit file(s)	2021-08-20 10:59:13 -07:00
src	systemd-analyze: 'security' option to perform offline reviews of the specified unit file(s)	2021-08-20 10:59:13 -07:00
sysctl.d	meson: use a/b instead of join_paths(a,b)	2021-07-27 19:32:35 +02:00
sysusers.d	meson: allow "soft-static" allocations for uids and gids in the initrd	2021-06-17 09:48:28 +02:00
test	network: add UseMTU= in [IPv6AcceptRA]	2021-08-20 17:14:08 +09:00
tmpfiles.d	meson: use a/b instead of join_paths(a,b)	2021-07-27 19:32:35 +02:00
tools	git-contrib: copypaste-friendly output	2021-07-19 15:39:26 +09:00
units	units: added factory-reset.target	2021-08-10 17:08:00 +02:00
xorg	scripts: use 4 space indentation	2019-04-12 08:30:31 +02:00
.clang-format	clang-format: set SpaceBeforeParens to ControlStatementsExceptForEachMacros	2020-11-16 16:57:51 +09:00
.ctags	editors: Prevent ctags from following symlinks	2019-02-15 11:01:20 -08:00
.dir-locals.el	scripts: use 4 space indentation	2019-04-12 08:30:31 +02:00
.editorconfig	editorconfig: add man configuration	2020-05-26 15:37:05 +02:00
.gitattributes	udev: Extract RAM properties from DMI information	2020-12-16 18:32:29 +01:00
.gitignore	Move shared mkosi settings to a single file in mkosi.default.d/	2021-01-06 12:10:58 +00:00
.lgtm.yml	ci: bump meson version in LGTM	2021-07-28 11:26:10 +02:00
.mailmap	mailmap: two more names	2021-03-30 13:17:58 +02:00
.packit.yml	ci: add ppc64le Rawhide chroot to the Packit chroot set	2021-07-19 12:16:36 +01:00
.vimrc	scripts: use 4 space indentation	2019-04-12 08:30:31 +02:00
.ycm_extra_conf.py	ycm: add doc string for all the functions in configuration file	2017-11-29 13:21:49 -07:00
configure	tree-wide: add spdx header on all scripts and helpers	2021-01-28 09:55:35 +01:00
LICENSE.GPL2
LICENSE.LGPL2.1
Makefile	tree-wide: add spdx header on all scripts and helpers	2021-01-28 09:55:35 +01:00
meson_options.txt	sd-boot: Draw custom edit cursor	2021-08-17 13:59:13 +02:00
meson.build	Add support for systemd-pkcs11 libcryptsetup plugin.	2021-08-19 13:58:10 +02:00
mkosi.build	mkosi: initialize /usr/lib/os-release' IMAGE_ID + IMAGE_VERSION fields from build	2021-07-03 11:07:00 +01:00
NEWS	NEWS: finalize for v249	2021-07-07 18:41:29 +01:00
README	README: add requirements for RestrictNetworkInterfaces=	2021-08-19 07:25:01 -05:00
README.md	docs: add ARCHITECTURE.md with code map	2021-06-03 22:14:19 +02:00
TODO	update TODO	2021-08-10 15:07:44 +02:00

README.md

System and Service Manager

Details

Most documentation is available on systemd's web site.

Assorted, older, general information about systemd can be found in the systemd Wiki.

Information about build requirements is provided in the README file.

Consult our NEWS file for information about what's new in the most recent systemd versions.

Please see the Code Map for information about this repository's layout and content.

Please see the Hacking guide for information on how to hack on systemd and test your modifications.

Please see our Contribution Guidelines for more information about filing GitHub Issues and posting GitHub Pull Requests.

When preparing patches for systemd, please follow our Coding Style Guidelines.

If you are looking for support, please contact our mailing list or join our IRC channel.

Stable branches with backported patches are available in the stable repo.