Use systemd-analyze security to improve system security
Goal description
The initial goal is to have every system service apart from login services (which need to support root logins or sudo from user logins) score MEDIUM or better in the output of "systemd-analyze security" for all common installations. This means all daemons used as part of a typical laptop installation and all the common server programs that are considered as part of a "LAMP" stack as well as common servers such as dhcp and samba that are often used.
Any service that can't meet these aims should have a document describing why it's not possible and ways of implementing work arounds to give good system security in spite of this.
systemd-analyze now supports working offline, without a booted system, and also supports a user-supplied security policy, instead of the embedded defaults. This means that CI tools such as Lintian could be used to check the units shipped by a package.
It was suggested that we could have 2 variants of the D-Bus package so one could only launch programs via systemd. Otherwise the dbus daemon needs to potentially run everything.
Current Bug Reports
ToDo: use usertags to list bugs instead of manually editing the wiki.
network-manager bug #1032326 (needs upstream work)
Daemons that are Mostly Done
List Discussion
Here is the start of a debian-devel discussion about this. Here is a long and detailed reply to that thread with several ideas worth implemewnting.
How to help
- Add yourself to the Advocates or Volunteers section as appropriate
- Test services on your systems and devise ways of improving the systemd security settings. You can run "systemctl edit whatever.service" to put in an override for a daemon and restart it to see if it works
- File bug reports suggesting changes that you have found to work and determined are likely to work for others
- Join the work in upstream projects, for some Debian packages like network-manager these changes won't be accepted unless accepted upstream
Relevant packages
- All daemons, especially ones that run as root.
- Legacy cron jobs rewritten as tightened .timer/.service
- Potentially programs run by "systemd --user" or maybe we should have a separate goal for that.
Other Information
Debian Security Advisories: http://lists.debian.org/debian-security-announce/
Advocates
Russell Coker (russell@coker.com.au) (etbe@debian.org)
Volunteers