Use systemd-analyze security to improve system security

Goal description

The initial goal is to have every system service apart from login services (which need to support root logins or sudo from user logins) score MEDIUM or better in the output of "systemd-analyze security" for all common installations. This means all daemons used as part of a typical laptop installation and all the common server programs that are considered as part of a "LAMP" stack as well as common servers such as dhcp and samba that are often used.

Any service that can't meet these aims should have a document describing why it's not possible and ways of implementing work arounds to give good system security in spite of this.

Current Bug Reports

ToDo: use usertags to list bugs instead of manually editing the wiki.

• network-manager bug #1032326 (needs upstream work)

• wpasupplicant bug #1032233

• auditd bug #1032327

• udisks2 bug #1040203

• dictd bug #1032331

• memlockd bug #1040204

How to help

• Add yourself to the Advocates or Volunteers section as appropriate
• Test services on your systems and devise ways of improving the systemd security settings. You can run "systemctl edit whatever.service" to put in an override for a daemon and restart it to see if it works
• File bug reports suggesting changes that you have found to work and determined are likely to work for others
• Join the work in upstream projects, for some Debian packages like network-manager these changes won't be accepted unless accepted upstream

Relevant packages

• All daemons, especially ones that run as root.
• Potentially programs run by "systemd --user" or maybe we should have a separate goal for that.

Other Information

• Debian Security Advisories: http://lists.debian.org/debian-security-announce/

Advocates

• Russell Coker (russell@coker.com.au) (etbe@debian.org)

Volunteers