summaryrefslogtreecommitdiffstats
path: root/man/systemd-analyze.xml
diff options
context:
space:
mode:
authorMaanya Goenka <t-magoenka@microsoft.com>2021-08-26 09:17:32 +0200
committerLuca Boccassi <luca.boccassi@gmail.com>2021-09-06 20:55:27 +0200
commit4b4a8ef7414c53af9b5f99ed80ce658be1c58c59 (patch)
treedcb34e1e20e6509a3f8dd6362876ffc49d305be3 /man/systemd-analyze.xml
parentsystemd-analyze: use config value in RestrictNamespaces id (#20645) (diff)
downloadsystemd-4b4a8ef7414c53af9b5f99ed80ce658be1c58c59.tar.xz
systemd-4b4a8ef7414c53af9b5f99ed80ce658be1c58c59.zip
systemd-analyze: add new option to generate JSON output of security analysis table
The new option --json= works with the 'security' verb and takes in one of three format flags. These are off which is the default, pretty and short which use JSON format flags for output. When set to true, it generates a JSON formatted output of the security analysis table. The format is a JSON array with objects containing the following fields: set which indicates if the id has been set or not, name which is what is used to refer to the id, json_field which is the equivalent JSON formatted id name only used for JSON outputs, description which is an outline of the id state, and exposure which is an unsigned integer in the range 0.0..10.0, where a higher value corresponds to a higher security threat. The JSON version of the table is printed on the standard output file. Example Run: The unit file testfile.service was created to test the --json= option maanya-goenka@debian:~/systemd (json-security)$ cat <<EOF >testfile.service > [Service] > ExecStart = echo hello > PrivateNetwork = yes > PrivateMounts = yes > PrivateDevices = yes > EOF Both the JSON output and the security analysis table below have been truncated to increase readability. 1. Testing for when --json=off maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=off --root= --offline=true testfile.service --no-pager /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring. NAME DESCRIPTION EXPOSURE ✓ PrivateNetwork= Service has no access to the host's network ✗ User=/DynamicUser= Service runs as root user 0.4 ✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capabilities 0.3 ✗ CapabilityBoundingSet=~CAP_NET_ADMIN Service has administrator privileges 0.3 → Overall exposure level for testfile.service: 8.3 EXPOSED 🙁 2. Testing for when --json=pretty maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=pretty --root= --offline=true testfile.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring. [ { "set" : true, "name" : "PrivateNetwork=", "json-field" : "PrivateNetwork", "description" : "Service has no access to the host's network", "exposure" : null }, { "set" : false, "name" : "User=/DynamicUser=", "json-field" : "UserOrDynamicUser", "decsription" : "Service runs as root user", "exposure" : "0.4" }, { "set" : false, "name" : "CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)", "json_field" : "CapabilityBoundingSet_CAP_SET_UID_GID_PCAP", "description" : "Service may change UID/GID identities/capabilities", "exposure" : "0.3" }, { "set" : false, "name" : "CapabilityBoundingSet=~CAP_NET_ADMIN", "json_field" : "CapabilityBoundingSet_CAP_NET_ADMIN", "description" : "Service has administrator privileges", "exposure" : "0.3" }, ... ] 3. Testing for when --json=short maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=short --root= --offline=true testfile.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring. [{"set":true,"name":"PrivateNetwork=", "json_field":"PrivateNetwork", "description":"Service has no access to the host's network","exposure":null}, ...]
Diffstat (limited to 'man/systemd-analyze.xml')
-rw-r--r--man/systemd-analyze.xml16
1 files changed, 16 insertions, 0 deletions
diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml
index 8e8f776377..fb872c4990 100644
--- a/man/systemd-analyze.xml
+++ b/man/systemd-analyze.xml
@@ -1110,6 +1110,22 @@ Service b@0.service not loaded, b.socket cannot be started.
<varlistentry>
+ <term><option>--json=<replaceable>MODE</replaceable></option></term>
+
+ <listitem><para>With the <command>security</command> command, generate a JSON formatted
+ output of the security analysis table. The format is a JSON array with objects
+ containing the following fields: <varname>set</varname> which indicates if the setting has
+ been enabled or not, <varname>name</varname> which is what is used to refer to the setting,
+ <varname>json_field</varname> which is the JSON compatible identifier of the setting,
+ <varname>description</varname> which is an outline of the setting state, and
+ <varname>exposure</varname> which is a number in the range 0.0…10.0, where a higher value
+ corresponds to a higher security threat. The JSON version of the table is printed to standard
+ output. The <replaceable>MODE</replaceable> passed to the option can be one of three:
+ <option>off</option> which is the default, <option>pretty</option> and <option>short</option>
+ which respectively output a prettified or shorted JSON version of the security table.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>--iterations=<replaceable>NUMBER</replaceable></option></term>
<listitem><para>When used with the <command>calendar</command> command, show the specified number of