Use systemd-analyze security to improve system security

Goal description

The initial goal is to have every system service apart from login services (which need to support root logins or sudo from user logins) score MEDIUM or better in the output of "systemd-analyze security" for all common installations. This means all daemons used as part of a typical laptop installation and all the common server programs that are considered as part of a "LAMP" stack as well as common servers such as dhcp and samba that are often used.

Any service that can't meet these aims should have a document describing why it's not possible and ways of implementing work arounds to give good system security in spite of this.

systemd-analyze now supports working offline, without a booted system, and also supports a user-supplied security policy, instead of the embedded defaults. This means that CI tools such as Lintian could be used to check the units shipped by a package.

It was suggested that we could have 2 variants of the D-Bus package so one could only launch programs via systemd. Otherwise the dbus daemon needs to potentially run everything.

Current Bug Reports

/!\ ToDo: use usertags to list bugs instead of manually editing the wiki.

List Discussion

Here is the start of a debian-devel discussion about this. Here is a long and detailed reply to that thread with several ideas worth implemewnting.

How to help

Relevant packages

Other Information



CategoryDebianDevelopment | CategorySystemSecurity