On Thu, Feb 24, 2022 at 04:29:27PM +0100, Marius Schwarz wrote: > Hi Guys, > > running a hardening tool I stumpled about systemd own security analysis, systemd-analyze security shows whether units use systemd hardening features. Those units may well use other features, and may well be very secure. In general it is a good idea to use at least some of the systemd features, but not always. Sometimes the unit may need to implement its own harderning in a very special way, or it may legitimately need almost full privileges. (For example sshd is like this: it implements privilege separation and does other things for security, but it needs full privileges to be able to run things as arbitrary users.) High exposure scores mean only so much. It would probably be good to use more of those features, but you need to understand the service very well to know what systemd security features can be enabled for it. > Do those "insecure" units come from upstream projects, or is Fedora lagging > behind some patches? Fedora usually uses service files straight from upstream, if upstream provides them. > Is there a way to find out, if missing restrictions options are a problem > for the service and if not, any way to tell that analyse tool about it? Systemd 250 (coming in F36), has --security-policy switch which can be used to enable/disable some of the checks. There is no way to tell systemd-analyze that things about a specific unit though. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
