diff options
author | Maanya Goenka <t-magoenka@microsoft.com> | 2021-08-17 10:40:15 -0700 |
---|---|---|
committer | Maanya Goenka <t-magoenka@microsoft.com> | 2021-08-20 10:59:13 -0700 |
commit | dfbda8799cd4184ca61d4cd4283f76e5776d253d (patch) | |
tree | 631f57fff22902190e97f488f1ed53e97b86992e /src/analyze/analyze-security.h | |
parent | bb43d853190052b3d2984ae08299ddf0a97b86f5 (diff) | |
download | systemd-dfbda8799cd4184ca61d4cd4283f76e5776d253d.tar.gz |
systemd-analyze: add new 'security' option to compare unit's overall exposure level with
--threshold option added to work with security verb and with the --offline option so that
users can determine what qualifies as a security threat. The threshold set by the user is
compared with the overall exposure level assigned to a unit file and if the exposure is
higher than the threshold, 'security' will return a non-zero exit status. The default value
of the --threshold option is 100.
Example Run:
1. testcase.service is a unit file created for testing the --threshold option
maanya-goenka@debian:~/systemd (systemd-security)$ cat<<EOF>testcase.service
> [Service]
> ExecStart = echo hello
> EOF
For the purposes of this demo, the security table outputted below has been cut to show only the first two security settings.
maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ User=/DynamicUser= Service runs as root user 0.4
→ Overall exposure level for testcase.service: 9.6 UNSAFE 😨
maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0
2. Next, we use the same testcase.service file but add an additional --threshold=60 parameter. We would expect 'security' to exit
with a non-zero status because the overall exposure level (= 96) is higher than the set threshold (= 60).
maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true --threshold=60 testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ User=/DynamicUser= Service runs as root user 0.4
→ Overall exposure level for testcase.service: 9.6 UNSAFE 😨
maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 1
Diffstat (limited to 'src/analyze/analyze-security.h')
-rw-r--r-- | src/analyze/analyze-security.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/analyze/analyze-security.h b/src/analyze/analyze-security.h index b9ea2586b9..57a93afbef 100644 --- a/src/analyze/analyze-security.h +++ b/src/analyze/analyze-security.h @@ -13,4 +13,5 @@ typedef enum AnalyzeSecurityFlags { ANALYZE_SECURITY_ONLY_LONG_RUNNING = 1 << 2, } AnalyzeSecurityFlags; -int analyze_security(sd_bus *bus, char **units, UnitFileScope scope, bool check_man, bool run_generators, bool offline, const char *root, AnalyzeSecurityFlags flags); +int analyze_security(sd_bus *bus, char **units, UnitFileScope scope, bool check_man, bool run_generators, + bool offline, unsigned threshold, const char *root, AnalyzeSecurityFlags flags); |