diff options
| author |   Lennart Poettering <lennart@poettering.net> | 2018-11-09 12:19:30 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2018-11-30 16:48:09 +0100 |
| commit | ee93c1e664a7bbc59f1578e285c871999507b14d (patch) | |
| tree | 6548b71af35ab808773bcadcfb96a471095343ec /man | |
| parent | analyze: add new security verb (diff) | |
| download | systemd-ee93c1e664a7bbc59f1578e285c871999507b14d.tar.gz systemd-ee93c1e664a7bbc59f1578e285c871999507b14d.tar.bz2 systemd-ee93c1e664a7bbc59f1578e285c871999507b14d.zip | |
man: document systemd-analyze security
Diffstat (limited to 'man')
| -rw-r--r-- | man/systemd-analyze.xml | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 15e95b0c8..7becf0133 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -112,6 +112,12 @@ <arg choice="plain">timespan</arg> <arg choice="plain" rep="repeat"><replaceable>SPAN</replaceable></arg> </cmdsynopsis> + <cmdsynopsis> + <command>systemd-analyze</command> + <arg choice="opt" rep="repeat">OPTIONS</arg> + <arg choice="plain">security</arg> + <arg choice="plain" rep="repeat"><replaceable>UNIT</replaceable></arg> + </cmdsynopsis> </refsynopsisdiv> <refsect1> @@ -263,6 +269,29 @@ NAutoVTs=8 The time span should adhere to the same syntax documented in <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>. Values without associated magnitudes are parsed as seconds.</para> + <para><command>systemd-analyze security</command> analyzes the security and sandboxing settings of one or more + specified service units. If at least one unit name is specified the security settings of the specified service + units are inspected and a detailed analysis is shown. If no unit name is specified, all currently loaded, + long-running service units are inspected and a terse table with results shown. The command checks for various + security-related service settings, assigning each a numeric "exposure level" value, depending on how important a + setting is. It then calculates an overall exposure level for the whole unit, which is an estimation in the range + 0.0…10.0 indicating how exposed a service is security-wise. High exposure levels indicate very little applied + sandboxing. Low exposure levels indicate tight sandboxing and strongest security restrictions. Note that this only + analyzes the per-service security features systemd itself implements. This means that any additional security + mechanisms applied by the service code itself are not accounted for. The exposure level determined this way should + not be misunderstood: a high exposure level neither means that there is no effective sandboxing applied by the + service code itself, nor that the service is actually vulnerable to remote or local attacks. High exposure levels + do indicate however that most likely the service might benefit from additional settings applied to them. Please + note that many of the security and sandboxing settings individually can be circumvented — unless combined with + others. For example, if a service retains the privilege to establish or undo mount points many of the sandboxing + options can be undone by the service code itself. Due to that is essential that each service uses the most + comprehensive and strict sandboxing and security settings possible. The tool will take into account some of these + combinations and relationships between the settings, but not all. Also note that the security and sandboxing + settings analyzed here only apply to the operations executed by the service code itself. If a service has access to + an IPC system (such as D-Bus) it might request operations from other services that are not subject to the same + restrictions. Any comprehensive security and sandboxing analysis is hence incomplete if the IPC access policy is + not validated too.</para> + <para>If no command is passed, <command>systemd-analyze time</command> is implied.</para> |