andrew at lists.savchenko.net
Wed Oct 14 01:13:34 BST 2020
Among others, /usr/bin/systemd-analyze can be called with "security" parameter
which shows sandboxing settings of the loaded units on the scale from 0 to 10.
On Debian v10.6 vast majority of the services are reported as "unsafe" with
exposure score >9. This includes sshd, unattended-upgrades and others.
Is there a plan to improve situation for Bullseye? I think maintainers of
Whonix project, which is based on Debian, are using it for some services they
ship in addition to base (sdwdate, onion-grater, etc).
More information about the Pkg-systemd-maintainers