systemd-analyze
Andrew Savchenko
andrew at lists.savchenko.net
Wed Oct 14 01:13:34 BST 2020
Dear Maintainers,
Among others, /usr/bin/systemd-analyze can be called with "security" parameter
which shows sandboxing settings of the loaded units on the scale from 0 to 10.
On Debian v10.6 vast majority of the services are reported as "unsafe" with
exposure score >9. This includes sshd, unattended-upgrades and others.
Is there a plan to improve situation for Bullseye? I think maintainers of
Whonix project, which is based on Debian, are using it for some services they
ship in addition to base (sdwdate, onion-grater, etc).
References:
[1] https://forums.whonix.org/t/systemd-analyze-security/10395
[2] https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html
[3] https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launcher/9008
--
With regards,
A
More information about the Pkg-systemd-maintainers
mailing list