systemd:security_overview_of_systemd_services
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| systemd:security_overview_of_systemd_services [2021/01/13 12:20] β peter | systemd:security_overview_of_systemd_services [2023/07/17 14:21] (current) β removed peter | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== systemd - Security overview of systemd services ====== | ||
| - | |||
| - | **systemd** enable services to run with a whole suite of hardening and sandboxing features from the Linux kernel. | ||
| - | |||
| - | The Linux kernel can filter and limit access to file systems, networks, devices, kernel capabilities and system calls (syscalls), and more. | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ===== Check current security ===== | ||
| - | |||
| - | <code bash> | ||
| - | systemd-analyze security | ||
| - | </ | ||
| - | |||
| - | returns: | ||
| - | |||
| - | <code bash> | ||
| - | UNIT EXPOSURE PREDICATE HAPPY | ||
| - | ModemManager.service | ||
| - | NetworkManager.service | ||
| - | accounts-daemon.service | ||
| - | acpid.service | ||
| - | alsa-state.service | ||
| - | anacron.service | ||
| - | apache2.service | ||
| - | apport.service | ||
| - | avahi-daemon.service | ||
| - | bluetooth.service | ||
| - | colord.service | ||
| - | cron.service | ||
| - | cups-browsed.service | ||
| - | cups.service | ||
| - | dbus.service | ||
| - | dm-event.service | ||
| - | dmesg.service | ||
| - | emergency.service | ||
| - | expressvpn.service | ||
| - | gdm.service | ||
| - | geoclue.service | ||
| - | getty@tty1.service | ||
| - | grub-common.service | ||
| - | hddtemp.service | ||
| - | irqbalance.service | ||
| - | kerneloops.service | ||
| - | libvirtd.service | ||
| - | lvm2-lvmpolld.service | ||
| - | lxcfs.service | ||
| - | networkd-dispatcher.service | ||
| - | nvidia-persistenced.service | ||
| - | ondemand.service | ||
| - | php7.4-fpm.service | ||
| - | plymouth-start.service | ||
| - | polkit.service | ||
| - | rc-local.service | ||
| - | rescue.service | ||
| - | resolvconf.service | ||
| - | rsync.service | ||
| - | rsyslog.service | ||
| - | rtkit-daemon.service | ||
| - | snap.lxd.daemon.service | ||
| - | snapd.service | ||
| - | switcheroo-control.service | ||
| - | systemd-ask-password-console.service | ||
| - | systemd-ask-password-plymouth.service | ||
| - | systemd-ask-password-wall.service | ||
| - | systemd-fsckd.service | ||
| - | systemd-initctl.service | ||
| - | systemd-journald.service | ||
| - | systemd-logind.service | ||
| - | systemd-machined.service | ||
| - | systemd-networkd.service | ||
| - | systemd-resolved.service | ||
| - | systemd-rfkill.service | ||
| - | systemd-timesyncd.service | ||
| - | systemd-udevd.service | ||
| - | thermald.service | ||
| - | udisks2.service | ||
| - | unattended-upgrades.service | ||
| - | upower.service | ||
| - | user@1000.service | ||
| - | user@125.service | ||
| - | uuidd.service | ||
| - | virtlockd.service | ||
| - | virtlogd.service | ||
| - | whoopsie.service | ||
| - | wpa_supplicant.service | ||
| - | </ | ||
| - | |||
| - | <WRAP info> | ||
| - | **NOTE: | ||
| - | |||
| - | * **Exposure score**: is entirely based on a serviceβs utilization of security features provided by systemd. | ||
| - | * It doesnβt consider security features built-in to the program or enforced by access control policies like Security-Enhanced Linux (SELinux) or AppArmor. | ||
| - | * Nor does the score in any way evaluate the risk factors of a program or its configuration. | ||
| - | |||
| - | Notice that many daemons, such as crond, are considered to be unsafe. | ||
| - | |||
| - | * Thatβs an accurate assessment as these services are designed to allow unrestricted execution of arbitrary commands. | ||
| - | * You may want to disable these services entirely unless you need them. | ||
| - | </ | ||
| - | |||
| - | |||
systemd/security_overview_of_systemd_services.1610540434.txt.gz Β· Last modified: 2021/01/13 12:20 by peter