Bug#972186: systemd-analyze

Andrew Savchenko andrew at lists.savchenko.net
Wed Oct 14 01:29:18 BST 2020

Package: systemd
Version: 241-7~deb10u4
Tags: security, buster, bullseye
Severity: wishlist

Dear Maintainers,

Among others, /usr/bin/systemd-analyze can be called with "security" parameter 
which shows sandboxing settings of the loaded units on the scale from 0 to 10.

On Debian v10.6 vast majority of the services are reported as "unsafe" with 
exposure score >9. This includes sshd, unattended-upgrades and others.

Is there a plan to improve situation for Bullseye? I think maintainers of
Whonix project, which is based on Debian, are using it for some services they 
ship in addition to base (sdwdate, onion-grater, etc).

[1] https://forums.whonix.org/t/systemd-analyze-security/10395
[2] https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html
[3] https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launcher/9008

With regards,

More information about the Pkg-systemd-maintainers mailing list