Bug#972186: systemd-analyze
Andrew Savchenko
andrew at lists.savchenko.net
Wed Oct 14 01:29:18 BST 2020
Package: systemd
Version: 241-7~deb10u4
Tags: security, buster, bullseye
Severity: wishlist
Dear Maintainers,
Among others, /usr/bin/systemd-analyze can be called with "security" parameter
which shows sandboxing settings of the loaded units on the scale from 0 to 10.
On Debian v10.6 vast majority of the services are reported as "unsafe" with
exposure score >9. This includes sshd, unattended-upgrades and others.
Is there a plan to improve situation for Bullseye? I think maintainers of
Whonix project, which is based on Debian, are using it for some services they
ship in addition to base (sdwdate, onion-grater, etc).
References:
[1] https://forums.whonix.org/t/systemd-analyze-security/10395
[2] https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html
[3] https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launcher/9008
--
With regards,
A
More information about the Pkg-systemd-maintainers
mailing list