Harden services with systemd
A Hard Nut to Crack
One of the most important goals in the development of systemd is securing Linux. Of course, you can only improve what can be measured, which is why Galileo Galilei advised: "Measure what is measurable, and make measurable what is not." Following this maxim, systemd now makes system security under Linux measurable and improvable.
More specifically, it is the systemd-analyze security command that allows this measurement. When executed, it returns a table like that shown in Figure 1, listing each service managed by systemd (UNIT
); a numerical value for the degree of protection (EXPOSURE
, where 10 is both the highest and worst value); a verbal translation of this value (PREDICATE
); and another version of the rating (HAPPY
) in the form of an emoji.
Figure 1: Tabular rating of services by security aspects.
Additionally, systemd-analyze can reveal how it arrives at its assessment: To see this, start it with the name of a service unit. As shown in Figure 2, it lists all the factors that have been checked, along with a checkmark for passed or an X for failed.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
The achievements of and plans for systemd
We talked to systemd maintainer Lennart Poettering about the sense and purpose of some systemd features. -
Logging with systemd
In most cases, log messages are managed by a Syslog server. The Fedora project wants to take a new approach in future releases. This change is to come from systemd’s journal.
- 24 Useful systemd Commands
-
Systemd network management and container handling
Version 219 of the controversial systemd init system introduces a number of comprehensive changes. We take a closer look at the innovations in network management and container handling. -
To syslog or not to syslog
In most cases, log messages are managed by a Syslog server. The Fedora project wants to take a new approach in future releases. This change is to come from systemd's journal.