systemdlint 1.4.0

Systemd Unitfile Linter

systemdlint

Systemd Unitfile Linter

Usage

usage: systemdlint [-h] [--nodropins] [--rootpath ROOTPATH] [--sversion SVERSION] [--output OUTPUT] [--norootfs] files [files ...]

Systemd Unitfile Linter

positional arguments:
  files                Files to parse

optional arguments:
  -h, --help           show this help message and exit
  --nodropins          Ignore Drop-Ins for parsing
  --rootpath ROOTPATH  Root path
  --sversion SVERSION  Version of Systemd to be used
  --output OUTPUT      Where to flush the findings (default: stderr)
  --norootfs           Run only unit file related tests

Why should I use it?

Surely you can use systemd-analyze verify [unitname] to validate your units - no problem and it's the recommended way if you writing units for the system you are currently running on. Unfortunately systemd doesn't offer a validation which doesn't require an already running version of systemd you want to validate against.

This tool was initially created to check units in cross-compiled embedded images at build time, where you can't run a copy of systemd (as it's cross-compiled). As a consequence it doesn't use any systemd code and might interpret some settings differently than systemd itself - as with every linter take the outcomes as a basis for further analysis. Also keep in mind, that systemd does create a larger stack of runtime files, which are not taken into account by the tool - same for kernel related information like /dev, /sys or /proc entries.

Furthermore the tool gives you advice how your unit files could be hardened.

Installation

PyPi

simply run

pip3 install systemdlint

From source

• Install the needed requirements by running pip3 install .
• git clone this repository
• cd to <clone folder>/systemdlint
• run sudo ./build.sh

Output

The tool will return

{file}:{line}:{severity} [{id}] - {message}

example:

/lib/systemd/system/console-shell.service:18:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported
/lib/systemd/system/plymouth-halt.service:11:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported
/lib/systemd/system/systemd-ask-password-console.service:12:warning [ReferencedUnitNotFound] - The Unit 'systemd-vconsole-setup.service' referenced was not found in filesystem
/lib/systemd/system/basic.target:19:warning [ReferencedUnitNotFound] - The Unit 'tmp.mount' referenced was not found in filesystem

The output format is configurable with --messageformat, for example:

systemdlint --messageformat='{path}:{line}:{severity}:{msg}' ...

Detectable Errors

• ConflictingOptions - The set option somehow is in conflict with another unit
• ErrorCyclicDependency - Unit creates a cyclic dependency
• ExecNotFound - The referenced executable was not found on system
• FullPrivileges - An executable is run with full privileges
• InvalidNumericBase - A numeric value doesn't match because it needs to be a multiple of X
• InvalidSetting - The option doesn't match the section
• InvalidValue - An invalid value is set
• MandatoryOptionMissing - A mandatory option was missing in the file
• Multiplicity - The option is not valid for the given amount of options in this context
• NoExecutable - The referenced executable is NOT executable
• NoFailureCheck - An executable is run without checking for failures
• OptionDeprecated - The used option is not available anymore in this version
• OptionTooNew - The used option will be available in a later version than used
• ReferencedUnitNotFound - The unit referenced was not found in system
• Security.@clock - SystemCallFilter shouldn't contain @clock
• Security.@cpu-emulation - SystemCallFilter shouldn't contain @cpu-emulation
• Security.@debug - SystemCallFilter shouldn't contain @debug
• Security.@module - SystemCallFilter shouldn't contain @module
• Security.@mount - SystemCallFilter shouldn't contain @mount
• Security.@obsolete - SystemCallFilter shouldn't contain @obsolete
• Security.@privileged - SystemCallFilter shouldn't contain @privileged
• Security.@raw-io - SystemCallFilter shouldn't contain @raw-io
• Security.@reboot - SystemCallFilter shouldn't contain @reboot
• Security.@resources - SystemCallFilter shouldn't contain @resources
• Security.@swap - SystemCallFilter shouldn't contain @swap
• Security.AF_INET - RestrictAddressFamilies shouldn't contain AF_INET
• Security.AF_INET6 - RestrictAddressFamilies shouldn't contain AF_INET6
• Security.AF_NETLINK - RestrictAddressFamilies shouldn't contain AF_NETLINK
• Security.AF_PACKET - RestrictAddressFamilies shouldn't contain AF_PACKET
• Security.AF_UNIX - RestrictAddressFamilies shouldn't contain AF_UNIX
• Security.CAP_AUDIT_CONTROL - CapabilityBoundingSet shouldn't contain CAP_AUDIT_CONTROL
• Security.CAP_AUDIT_READ - CapabilityBoundingSet shouldn't contain CAP_AUDIT_READ
• Security.CAP_AUDIT_WRITE - CapabilityBoundingSet shouldn't contain CAP_AUDIT_WRITE
• Security.CAP_BLOCK_SUSPEND - CapabilityBoundingSet shouldn't contain CAP_BLOCK_SUSPEND
• Security.CAP_CHOWN - CapabilityBoundingSet shouldn't contain CAP_CHOWN
• Security.CAP_DAC_OVERRIDE - CapabilityBoundingSet shouldn't contain CAP_DAC_OVERRIDE
• Security.CAP_DAC_READ_SEARCH - CapabilityBoundingSet shouldn't contain CAP_DAC_READ_SEARCH
• Security.CAP_FOWNER - CapabilityBoundingSet shouldn't contain CAP_FOWNER
• Security.CAP_FSETID - CapabilityBoundingSet shouldn't contain CAP_FSETID
• Security.CAP_IPC_LOCK - CapabilityBoundingSet shouldn't contain CAP_IPC_LOCK
• Security.CAP_IPC_OWNER - CapabilityBoundingSet shouldn't contain CAP_IPC_OWNER
• Security.CAP_KILL - CapabilityBoundingSet shouldn't contain CAP_KILL
• Security.CAP_LEASE - CapabilityBoundingSet shouldn't contain CAP_LEASE
• Security.CAP_LINUX_IMMUTABLE - CapabilityBoundingSet shouldn't contain CAP_LINUX_IMMUTABLE
• Security.CAP_MAC_ADMIN - CapabilityBoundingSet shouldn't contain CAP_MAC_ADMIN
• Security.CAP_MAC_OVERRIDE - CapabilityBoundingSet shouldn't contain CAP_MAC_OVERRIDE
• Security.CAP_MKNOD - CapabilityBoundingSet shouldn't contain CAP_MKNOD
• Security.CAP_NET_ADMIN - CapabilityBoundingSet shouldn't contain CAP_NET_ADMIN
• Security.CAP_NET_BIND_SERVICE - CapabilityBoundingSet shouldn't contain CAP_NET_BIND_SERVICE
• Security.CAP_NET_BROADCAST - CapabilityBoundingSet shouldn't contain CAP_NET_BROADCAST
• Security.CAP_NET_RAW - CapabilityBoundingSet shouldn't contain CAP_NET_RAW
• Security.CAP_RAWIO - CapabilityBoundingSet shouldn't contain CAP_RAWIO
• Security.CAP_SETFCAP - CapabilityBoundingSet shouldn't contain CAP_SETFCAP
• Security.CAP_SETGID - CapabilityBoundingSet shouldn't contain CAP_SETGID
• Security.CAP_SETPCAP - CapabilityBoundingSet shouldn't contain CAP_SETPCAP
• Security.CAP_SETUID - CapabilityBoundingSet shouldn't contain CAP_SETUID
• Security.CAP_SYS_ADMIN - CapabilityBoundingSet shouldn't contain CAP_SYS_ADMIN
• Security.CAP_SYS_BOOT - CapabilityBoundingSet shouldn't contain CAP_SYS_BOOT
• Security.CAP_SYS_CHROOT - CapabilityBoundingSet shouldn't contain CAP_SYS_CHROOT
• Security.CAP_SYS_MODULE - CapabilityBoundingSet shouldn't contain CAP_SYS_MODULE
• Security.CAP_SYS_NICE - CapabilityBoundingSet shouldn't contain CAP_SYS_NICE
• Security.CAP_SYS_PACCT - CapabilityBoundingSet shouldn't contain CAP_SYS_PACCT
• Security.CAP_SYS_PTRACE - CapabilityBoundingSet shouldn't contain CAP_SYS_PTRACE
• Security.CAP_SYS_RESOURCE - CapabilityBoundingSet shouldn't contain CAP_SYS_RESOURCE
• Security.CAP_SYS_TIME - CapabilityBoundingSet shouldn't contain CAP_SYS_TIME
• Security.CAP_SYS_TTY_CONFIG - CapabilityBoundingSet shouldn't contain CAP_SYS_TTY_CONFIG
• Security.CAP_SYSLOG - CapabilityBoundingSet shouldn't contain CAP_SYSLOG
• Security.CAP_WAKE_ALARM - CapabilityBoundingSet shouldn't contain CAP_WAKE_ALARM
• Security.CLONE_NEWCGROUP - RestrictNamespaces shouldn't contain CLONE_NEWCGROUP
• Security.CLONE_NEWIPC - RestrictNamespaces shouldn't contain CLONE_NEWIPC
• Security.CLONE_NEWNET - RestrictNamespaces shouldn't contain CLONE_NEWNET
• Security.CLONE_NEWNS - RestrictNamespaces shouldn't contain CLONE_NEWNS
• Security.CLONE_NEWPID - RestrictNamespaces shouldn't contain CLONE_NEWPID
• Security.CLONE_NEWUSER - RestrictNamespaces shouldn't contain CLONE_NEWUSER
• Security.CLONE_NEWUTS - RestrictNamespaces shouldn't contain CLONE_NEWUTS
• Security.Delegate - Delegate shall be set to yes
• Security.DevicePolicy - DevicePolicy should be set to closed
• Security.IPAddressDenyNA - IPAddressDeny shall be set
• Security.KeyringModeNA - KeyringMode shall be set
• Security.KeyringModeNPriv - KeyringMode shall be set to private
• Security.LockPersonality - LockPersonality shall be set to yes
• Security.MemoryDenyWriteExecute - MemoryDenyWriteExecute shall be set to yes
• Security.NoNewPrivileges - NoNewPrivileges shall be set to yes
• Security.NotifyAccess - NotifyAccess=all should be avoided
• Security.NoUser - No user is set for the service
• Security.PrivateDevices - PrivateDevices shall be set to yes
• Security.PrivateMounts - PrivateMounts shall be set to yes
• Security.PrivateNetwork - PrivateNetwork shall be set to yes
• Security.PrivateTmp - PrivateTmp shall be set to yes
• Security.PrivateUsers - PrivateUsers shall be set to yes
• Security.ProtectClock - ProtectClock shall be set to yes
• Security.ProtectControlGroups - ProtectControlGroups shall be set to yes
• Security.ProtectHomeNA - ProtectHome shall be set
• Security.ProtectHomeOff - ProtectHome shall be set to yes
• Security.ProtectHostname - ProtectHostname shall be set to yes
• Security.ProtectKernelLogs - ProtectKernelLogs shall be set to yes
• Security.ProtectKernelModules - ProtectKernelModules shall be set to yes
• Security.ProtectKernelTunables - ProtectKernelTunables shall be set to yes
• Security.ProtectSystemNA - ProtectSystem shall be set
• Security.ProtectSystemNStrict - ProtectSystem shall be set to strict
• Security.RemoveIPC - RemoveIPC should be activated
• Security.RestrictRealtime - RestrictRealtime shall be set to yes
• Security.RestrictSUIDSGID - RestrictSUIDSGID shall be set to yes
• Security.RootDirectory - RootDirectory or RootImage shall be set to a non-root path
• Security.SupplementaryGroups - SupplementaryGroups shall be avoided
• Security.SystemCallArchitecturesMult - SystemCallArchitectures shouldn't be set for multiple archs
• Security.SystemCallArchitecturesNA - SystemCallArchitectures shall be set
• Security.UMaskGR - Files created by service are group-readbale
• Security.UMaskGW - Files created by service are group-writeable
• Security.UMaskOR - Files created by service are world-readbale
• Security.UMaskOW - Files created by service are world-writeable
• Security.UserNobody - User nobody is set for the service
• Security.UserRoot - User root is set for the service
• SettingRequires - The option requires another option to be set
• SettingRestricted - The option can't be set due to another option
• SyntaxError - The file is not parsable
• UnitSectionMissing - The Unit-section is missing in the file
• UnknownUnitType - The file extension of the file is not a known systemd one
• WrongFileMask - The file has a risky filemode set

vscode extension

Find the extension in the marketplace, or search for systemdlint-vscode