mirror of
https://github.com/Dasharo/systemd.git
synced 2026-03-06 15:02:31 -08:00
bb43d85319
New option --offline which works with the 'security' command and takes in a boolean value. When set to true, it performs an offline security review of the specified unit file(s). It does not rely on PID 1 to acquire security information for the files like 'security' when used by itself does. It makes use of the refactored security_info struct instead (commit #8cd669d3d3cf1b5e8667acc46ba290a9e8a8e529). This means that --offline can be used with --image and --root as well. When used with --threshold, if a unit's overall exposure level is above that set by the user, the default value being 100, --offline returns a non-zero exit status. Example Run: 1. testcase.service is a unit file created for testing the --offline option maanya-goenka@debian:~/systemd (systemd-security)$ cat<<EOF>testcase.service > [Service] > ExecStart = echo hello > EOF For the purposes of this demo, the security table outputted below has been cut to show only the first two security settings. maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION EXPOSURE ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ User=/DynamicUser= Service runs as root user 0.4 → Overall exposure level for testcase.service: 9.6 UNSAFE 😨 maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0 2. The testcase.service unit file is modified to set PrivateNetwork to "yes". This reduces the exposure level from 9.6 to 9.1. maanya-goenka@debian:~/systemd (systemd-security)$ nano testcase.service > [Service] > ExecStart = echo hello > PrivateNetwork = yes > EOF maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION EXPOSURE ✓ PrivateNetwork= Service has access to the host's network ✗ User=/DynamicUser= Service runs as root user 0.4 → Overall exposure level for testcase.service: 9.1 UNSAFE 😨 maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0 3. Next, we use the same testcase.service unit file but add the additional --threshold=60 option to see how --threshold works with --offline. Since the overall exposure level is 91 which is greater than the threshold value set by the user (= 60), we can expect a non-zero exit status. maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true --threshold=60 testcase.service /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. NAME DESCRIPTION EXPOSURE ✓ PrivateNetwork= Service has access to the host's network ✗ User=/DynamicUser= Service runs as root user 0.4 → Overall exposure level for testcase.service: 9.1 UNSAFE 😨 maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 1
163 lines
5.3 KiB
Bash
163 lines
5.3 KiB
Bash
# systemd-analyze(1) completion -*- shell-script -*-
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# Copyright © 2010 Ran Benita
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# systemd is distributed in the hope that it will be useful, but
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
# General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Lesser General Public License
|
|
# along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
__contains_word () {
|
|
local w word=$1; shift
|
|
for w in "$@"; do
|
|
[[ $w = "$word" ]] && return
|
|
done
|
|
}
|
|
|
|
__get_machines() {
|
|
local a b
|
|
machinectl list --full --no-legend --no-pager | { while read a b; do echo " $a"; done; };
|
|
}
|
|
|
|
__get_services() {
|
|
systemctl list-units --no-legend --no-pager --plain -t service --all $1 | \
|
|
{ while read -r a b c; do [[ $b == "loaded" ]]; echo " $a"; done }
|
|
}
|
|
|
|
__get_syscall_sets() {
|
|
local line
|
|
systemd-analyze syscall-filter --no-pager | while IFS= read -r line; do
|
|
if [[ $line == @* ]]; then
|
|
printf '%s\n' "$line"
|
|
fi
|
|
done
|
|
}
|
|
|
|
_systemd_analyze() {
|
|
local i verb comps mode
|
|
local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
|
|
|
|
local -A OPTS=(
|
|
[STANDALONE]='-h --help --version --system --user --global --order --require --no-pager
|
|
--man=no --generators=yes'
|
|
[ARG]='-H --host -M --machine --fuzz --from-pattern --to-pattern --root'
|
|
)
|
|
|
|
local -A VERBS=(
|
|
[STANDALONE]='time blame plot dump unit-paths exit-status condition calendar timestamp timespan'
|
|
[CRITICAL_CHAIN]='critical-chain'
|
|
[DOT]='dot'
|
|
[VERIFY]='verify'
|
|
[SECCOMP_FILTER]='syscall-filter'
|
|
[CAT_CONFIG]='cat-config'
|
|
[SECURITY]='security'
|
|
)
|
|
|
|
local CONFIGS='systemd/bootchart.conf systemd/coredump.conf systemd/journald.conf
|
|
systemd/journal-remote.conf systemd/journal-upload.conf systemd/logind.conf
|
|
systemd/resolved.conf systemd/networkd.conf systemd/resolved.conf
|
|
systemd/sleep.conf systemd/system.conf systemd/timedated.conf
|
|
systemd/timesyncd.conf systemd/user.conf udev/udev.conf'
|
|
|
|
_init_completion || return
|
|
|
|
for ((i=0; i < COMP_CWORD; i++)); do
|
|
if __contains_word "${COMP_WORDS[i]}" ${VERBS[*]} &&
|
|
! __contains_word "${COMP_WORDS[i-1]}" ${OPTS[ARG]}; then
|
|
verb=${COMP_WORDS[i]}
|
|
break
|
|
fi
|
|
done
|
|
|
|
if __contains_word "$prev" ${OPTS[ARG]}; then
|
|
case $prev in
|
|
--host|-H)
|
|
comps=$(compgen -A hostname)
|
|
;;
|
|
--machine|-M)
|
|
comps=$( __get_machines )
|
|
;;
|
|
esac
|
|
COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
|
|
return 0
|
|
fi
|
|
|
|
if [[ -z ${verb-} && $cur = -* ]]; then
|
|
COMPREPLY=( $(compgen -W '${OPTS[*]}' -- "$cur") )
|
|
return 0
|
|
fi
|
|
|
|
if [[ -z ${verb-} ]]; then
|
|
comps=${VERBS[*]}
|
|
|
|
elif __contains_word "$verb" ${VERBS[STANDALONE]}; then
|
|
if [[ $cur = -* ]]; then
|
|
comps='--help --version --system --user --global --no-pager'
|
|
fi
|
|
|
|
elif __contains_word "$verb" ${VERBS[CRITICAL_CHAIN]}; then
|
|
if [[ $cur = -* ]]; then
|
|
comps='--help --version --system --user --fuzz --no-pager'
|
|
fi
|
|
|
|
elif __contains_word "$verb" ${VERBS[DOT]}; then
|
|
if [[ $cur = -* ]]; then
|
|
comps='--help --version --system --user --global --from-pattern --to-pattern --order --require'
|
|
fi
|
|
|
|
elif __contains_word "$verb" ${VERBS[SECCOMP_FILTER]}; then
|
|
if [[ $cur = -* ]]; then
|
|
comps='--help --version --no-pager'
|
|
else
|
|
comps=$( __get_syscall_sets )
|
|
fi
|
|
|
|
elif __contains_word "$verb" ${VERBS[VERIFY]}; then
|
|
if [[ $cur = -* ]]; then
|
|
comps='--help --version --system --user --global --man=no --generators=yes --root --image --recursive-errors=no --recursive-errors=yes --recursive-errors=one'
|
|
else
|
|
comps=$( compgen -A file -- "$cur" )
|
|
compopt -o filenames
|
|
fi
|
|
|
|
elif __contains_word "$verb" ${VERBS[CAT_CONFIG]}; then
|
|
if [[ $cur = -* ]]; then
|
|
comps='--help --version --root --no-pager'
|
|
elif [[ -z $cur ]]; then
|
|
comps="$CONFIGS"
|
|
compopt -o filenames
|
|
else
|
|
comps="$CONFIGS $( compgen -A file -- "$cur" )"
|
|
compopt -o filenames
|
|
fi
|
|
|
|
elif __contains_word "$verb" ${VERBS[SECURITY]}; then
|
|
if [[ $cur = -* ]]; then
|
|
comps='--help --version --no-pager --system --user -H --host -M --machine --offline'
|
|
else
|
|
if __contains_word "--user" ${COMP_WORDS[*]}; then
|
|
mode=--user
|
|
else
|
|
mode=--system
|
|
fi
|
|
comps=$( __get_services $mode )
|
|
fi
|
|
fi
|
|
|
|
COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
|
|
return 0
|
|
}
|
|
|
|
complete -F _systemd_analyze systemd-analyze
|