summaryrefslogtreecommitdiffstats
path: root/units/dev-mqueue.mount
diff options
context:
space:
mode:
authorMaanya Goenka <t-magoenka@microsoft.com>2021-08-17 19:25:38 +0200
committerMaanya Goenka <t-magoenka@microsoft.com>2021-08-20 19:59:13 +0200
commitbb43d853190052b3d2984ae08299ddf0a97b86f5 (patch)
tree36a1ea9293e19ae7311925b9b10bd667f3a71418 /units/dev-mqueue.mount
parentsystemd-analyze: refactor security_info to make use of existing struct variables (diff)
downloadsystemd-bb43d853190052b3d2984ae08299ddf0a97b86f5.tar.xz
systemd-bb43d853190052b3d2984ae08299ddf0a97b86f5.zip
systemd-analyze: 'security' option to perform offline reviews of the specified unit file(s)
New option --offline which works with the 'security' command and takes in a boolean value. When set to true, it performs an offline security review of the specified unit file(s). It does not rely on PID 1 to acquire security information for the files like 'security' when used by itself does. It makes use of the refactored security_info struct instead (commit #8cd669d3d3cf1b5e8667acc46ba290a9e8a8e529). This means that --offline can be used with --image and --root as well. When used with --threshold, if a unit's overall exposure level is above that set by the user, the default value being 100, --offline returns a non-zero exit status. Example Run: 1. testcase.service is a unit file created for testing the --offline option maanya-goenka@debian:~/systemd (systemd-security)$ cat<<EOF>testcase.service > [Service] > ExecStart = echo hello > EOF For the purposes of this demo, the security table outputted below has been cut to show only the first two security settings. maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION EXPOSURE ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ User=/DynamicUser= Service runs as root user 0.4 → Overall exposure level for testcase.service: 9.6 UNSAFE 😨 maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0 2. The testcase.service unit file is modified to set PrivateNetwork to "yes". This reduces the exposure level from 9.6 to 9.1. maanya-goenka@debian:~/systemd (systemd-security)$ nano testcase.service > [Service] > ExecStart = echo hello > PrivateNetwork = yes > EOF maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION EXPOSURE ✓ PrivateNetwork= Service has access to the host's network ✗ User=/DynamicUser= Service runs as root user 0.4 → Overall exposure level for testcase.service: 9.1 UNSAFE 😨 maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0 3. Next, we use the same testcase.service unit file but add the additional --threshold=60 option to see how --threshold works with --offline. Since the overall exposure level is 91 which is greater than the threshold value set by the user (= 60), we can expect a non-zero exit status. maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true --threshold=60 testcase.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION EXPOSURE ✓ PrivateNetwork= Service has access to the host's network ✗ User=/DynamicUser= Service runs as root user 0.4 → Overall exposure level for testcase.service: 9.1 UNSAFE 😨 maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 1
Diffstat (limited to 'units/dev-mqueue.mount')
0 files changed, 0 insertions, 0 deletions