Security in Systemd

Ran across a discussion today on reddit. Have never heard of this terminal command:

systemd-analyze security

But the output on my server was a bit alarming. Anyone care to explain what these mean?

Thanks,
Sheila

1 Like

I had to look it up.
Apparently systemd puts every service in a sandbox and
sets what it can access.
Daemons need to access things… if you go in and try to
harden the settings, you will probably find something stops working.

My personal feeling is we need to avoid this paranoid
management nonsense with daemon processes. All you
should ever need to do is start or stop a service. If you need more than that, there is a bug in the daemon. Fix the bug,
dont cover it up with ‘management’

2 Likes

Well, good. For a minute I thought I should be concerned.

Thanks,
Sheila

1 Like

Sheila,
You’ve already scared me with that command…

Well, after recovering from the scare, it seems to be as Neville says and that’s what’s on the man pages of the systemd-analyze

…Note that this only analyzes the per-service security features systemd itself implements. This means that any additional security mechanisms applied by the service code itself are not accounted for. The exposure level determined this way should not be misunderstood: a high exposure level neither means that there is no effective sandboxing applied by the service code itself, nor that the service is actually vulnerable to remote or local attacks. High exposure levels do indicate however that most likely the service might benefit from additional settings applied to them…

If you want to do another test, try the following command, for example:

systemd-analyze security NetworkManager.service

You get a list of approximately 80 items tested just for that unit…

I have the same value as you for NetworkManager.service:
image

I’ll pretend I haven’t seen anything and won’t think about it :fearful:

Jorge

2 Likes

Hahaha.

Since @nevj said we do not need to be concerned…me too.

Sheila

1 Like

On another note, I learned a new terminal command today. I was thinking about what @daniel.m.tripp had said about Cockpit (the browser tab I am using to manage the home server) and I thought, "Yeah, but how can I know when the system needs rebooting after updates without a GUI of some sort?

So I searched and, sure enough, there is a command!

$ sudo needs-restarting -r

I am finding so many new ways to do things from CLI on this monitor-less server.

Sheila

1 Like

Yeah, Debian seems to do that automatically when updating.
Other distros vary… I got caught with Void last night… all
my VM’s stopped working… it needed to update libvirtd.

I am not a security expert, but really, for a home computer, you dont need all this rubbish. You might need it on an internet server that cant hide behind NAT.
A daemon the listens or transmits on a port has to open a port. There is little you can do about that.

2 Likes

So you need to shut them down before updating anything that might affect VMs?

I tried to update the version of Oracle for one VM and it failed because I had it open, I guess. But trying to recognize (for me at least) which of the updates relate to VMs would be difficult.

I do look at the lists before updating. But after using Mint with an update manager & definitely Pop, I just knew there were some updates that require restarting services and some that require rebooting.

But am glad I found a way to know these things in terminal.

Sheila

And enable or disable it.

systemctl enable nginx # Sets the service to start at boot time
systemctl disable nginx # Set the service to not start at boot time

1 Like

That would indeed be a good idea.
Linux is clever, but it cant update a piece of software while you are using it. It usually leaves you running the old copy until you reboot, but I guess that fails for a VM.

Yeah, I just now had to update the Guest Additions in Oracle W10. Luckily, it was easy since the virtual CD is already there. All you had to do was execute the udpate file.

But one thing puzzles me, ever since installing W10 in Oracle, I have never once had a windows update notification. But if I run it manually it finds updates but can never install them. Just says “Windows ran into a problem…” “Look for a solution on line” Sheesh, that’s helpful.

Yet Fedora in Oracle updates just fine.

Oh well, I seldom get into the VM for W10, and it certainly functions as expected, so I am not worried about it for now. And after March, my last W10 app will no longer be needed.

I have switched everything to Linux and running it from the new server. YAY!

Sheila

1 Like

It may think you are unlicensed or installed in a second machine.
@Daniel_Phillips probably knows.

That was my first thought. I’ve had other issues on various servers too though.

1 Like

Check activation status by WindowsKey+I and scroll down and click on update and security and open Activation.
I never use notifications, I just check for updates manually, although Windows 10 and W11 will usually notify when updates are available.

I knew you would have the answer.

Windows is activated through a digital license linked to MS acct. But as I said, regardless of notifications, I do get one update to install but it always errors out. Maybe something in the VM setup?

Sheila Flanagan

I did get the anti-virus to complete install but the main one that gets error:
2024-01 Security Update for Windows 10 Version 22H2 for x64-based Systems (KB5034441)

Sheila Flanagan

I would say so!!!
If the VM is working, I would not be too concerned about updates.

That’s what I figured. Thanks.

Sheila Flanagan