summaryrefslogtreecommitdiff
path: root/hwdb.d
diff options
context:
space:
mode:
authorMaanya Goenka <t-magoenka@microsoft.com>2021-08-26 00:17:32 -0700
committerLuca Boccassi <luca.boccassi@gmail.com>2021-09-06 19:55:27 +0100
commit4b4a8ef7414c53af9b5f99ed80ce658be1c58c59 (patch)
treedcb34e1e20e6509a3f8dd6362876ffc49d305be3 /hwdb.d
parentc1e6f2155668f9246a23951fde3e1ef5c3ef900c (diff)
downloadsystemd-4b4a8ef7414c53af9b5f99ed80ce658be1c58c59.tar.gz
systemd-analyze: add new option to generate JSON output of security analysis table
The new option --json= works with the 'security' verb and takes in one of three format flags. These are off which is the default, pretty and short which use JSON format flags for output. When set to true, it generates a JSON formatted output of the security analysis table. The format is a JSON array with objects containing the following fields: set which indicates if the id has been set or not, name which is what is used to refer to the id, json_field which is the equivalent JSON formatted id name only used for JSON outputs, description which is an outline of the id state, and exposure which is an unsigned integer in the range 0.0..10.0, where a higher value corresponds to a higher security threat. The JSON version of the table is printed on the standard output file. Example Run: The unit file testfile.service was created to test the --json= option maanya-goenka@debian:~/systemd (json-security)$ cat <<EOF >testfile.service > [Service] > ExecStart = echo hello > PrivateNetwork = yes > PrivateMounts = yes > PrivateDevices = yes > EOF Both the JSON output and the security analysis table below have been truncated to increase readability. 1. Testing for when --json=off maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=off --root= --offline=true testfile.service --no-pager /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring. NAME DESCRIPTION EXPOSURE ✓ PrivateNetwork= Service has no access to the host's network ✗ User=/DynamicUser= Service runs as root user 0.4 ✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capabilities 0.3 ✗ CapabilityBoundingSet=~CAP_NET_ADMIN Service has administrator privileges 0.3 → Overall exposure level for testfile.service: 8.3 EXPOSED 🙁 2. Testing for when --json=pretty maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=pretty --root= --offline=true testfile.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring. [ { "set" : true, "name" : "PrivateNetwork=", "json-field" : "PrivateNetwork", "description" : "Service has no access to the host's network", "exposure" : null }, { "set" : false, "name" : "User=/DynamicUser=", "json-field" : "UserOrDynamicUser", "decsription" : "Service runs as root user", "exposure" : "0.4" }, { "set" : false, "name" : "CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)", "json_field" : "CapabilityBoundingSet_CAP_SET_UID_GID_PCAP", "description" : "Service may change UID/GID identities/capabilities", "exposure" : "0.3" }, { "set" : false, "name" : "CapabilityBoundingSet=~CAP_NET_ADMIN", "json_field" : "CapabilityBoundingSet_CAP_NET_ADMIN", "description" : "Service has administrator privileges", "exposure" : "0.3" }, ... ] 3. Testing for when --json=short maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=short --root= --offline=true testfile.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring. [{"set":true,"name":"PrivateNetwork=", "json_field":"PrivateNetwork", "description":"Service has no access to the host's network","exposure":null}, ...]
Diffstat (limited to 'hwdb.d')
0 files changed, 0 insertions, 0 deletions