systemd:security_overview_of_systemd_services
This is an old revision of the document!
systemd - Security overview of systemd services
systemd enable services to run with a whole suite of hardening and sandboxing features from the Linux kernel.
The Linux kernel can filter and limit access to file systems, networks, devices, kernel capabilities and system calls (syscalls), and more.
Check current security
systemd-analyze security
returns:
UNIT EXPOSURE PREDICATE HAPPY ModemManager.service 5.8 MEDIUM π NetworkManager.service 7.8 ^[[0;1;38;5;185mEXPOSED π accounts-daemon.service 9.6 UNSAFE π¨ acpid.service 9.6 UNSAFE π¨ alsa-state.service 9.6 UNSAFE π¨ anacron.service 9.6 UNSAFE π¨ apache2.service 9.2 UNSAFE π¨ apport.service 9.6 UNSAFE π¨ avahi-daemon.service 9.6 UNSAFE π¨ bluetooth.service 6.8 MEDIUM π colord.service 8.8 ^[[0;1;38;5;185mEXPOSED π cron.service 9.6 UNSAFE π¨ cups-browsed.service 9.6 UNSAFE π¨ cups.service 9.6 UNSAFE π¨ dbus.service 9.6 UNSAFE π¨ dm-event.service 9.5 UNSAFE π¨ dmesg.service 9.6 UNSAFE π¨ emergency.service 9.5 UNSAFE π¨ expressvpn.service 9.6 UNSAFE π¨ gdm.service 9.8 UNSAFE π¨ geoclue.service 7.4 MEDIUM π getty@tty1.service 9.6 UNSAFE π¨ grub-common.service 9.6 UNSAFE π¨ hddtemp.service 9.6 UNSAFE π¨ irqbalance.service 6.1 MEDIUM π kerneloops.service 9.2 UNSAFE π¨ libvirtd.service 9.6 UNSAFE π¨ lvm2-lvmpolld.service 9.5 UNSAFE π¨ lxcfs.service 9.6 UNSAFE π¨ networkd-dispatcher.service 9.6 UNSAFE π¨ nvidia-persistenced.service 9.6 UNSAFE π¨ ondemand.service 9.6 UNSAFE π¨ php7.4-fpm.service 9.6 UNSAFE π¨ plymouth-start.service 9.5 UNSAFE π¨ polkit.service 9.6 UNSAFE π¨ rc-local.service 9.6 UNSAFE π¨ rescue.service 9.5 UNSAFE π¨ resolvconf.service 9.5 UNSAFE π¨ rsync.service 9.6 UNSAFE π¨ rsyslog.service 9.6 UNSAFE π¨ rtkit-daemon.service 7.1 MEDIUM π snap.lxd.daemon.service 9.6 UNSAFE π¨ snapd.service 9.6 UNSAFE π¨ switcheroo-control.service 7.5 ^[[0;1;38;5;185mEXPOSED π systemd-ask-password-console.service 9.3 UNSAFE π¨ systemd-ask-password-plymouth.service 9.5 UNSAFE π¨ systemd-ask-password-wall.service 9.4 UNSAFE π¨ systemd-fsckd.service 9.5 UNSAFE π¨ systemd-initctl.service 9.3 UNSAFE π¨ systemd-journald.service 4.4 OK π systemd-logind.service 2.8 OK π systemd-machined.service 6.1 MEDIUM π systemd-networkd.service 3.1 OK π systemd-resolved.service 2.2 OK π systemd-rfkill.service 9.3 UNSAFE π¨ systemd-timesyncd.service 2.1 OK π systemd-udevd.service 8.4 ^[[0;1;38;5;185mEXPOSED π thermald.service 9.6 UNSAFE π¨ udisks2.service 9.6 UNSAFE π¨ unattended-upgrades.service 9.6 UNSAFE π¨ upower.service 2.3 OK π user@1000.service 9.4 UNSAFE π¨ user@125.service 9.4 UNSAFE π¨ uuidd.service 4.5 OK π virtlockd.service 9.6 UNSAFE π¨ virtlogd.service 9.6 UNSAFE π¨ whoopsie.service 9.6 UNSAFE π¨ wpa_supplicant.service 9.6 UNSAFE π¨
NOTE: * Exposure score**: is entirely based on a serviceβs utilization of security features provided by systemd.
- It doesnβt consider security features built-in to the program or enforced by access control policies like Security-Enhanced Linux (SELinux) or AppArmor.
- Nor does the score in any way evaluate the risk factors of a program or its configuration.
Notice that many daemons, such as crond, are considered to be unsafe.
- Thatβs an accurate assessment as these services are designed to allow unrestricted execution of arbitrary commands.
- You may want to disable these services entirely unless you need them.
systemd/security_overview_of_systemd_services.1610540434.txt.gz Β· Last modified: 2021/01/13 12:20 by peter