On Mon, Dec 11, 2017 at 4:03 PM, Alan Mackenzie <a...@muc.de> wrote: > On Mon, Dec 11, 2017 at 18:56:15 +0000, Neil Bothwick wrote:
>> This may come as a surprise to some, but some things you hear on >> t'internet are not true... >> >> For example, the http server is there to allow access to logs from >> another machine without needing to grant SSH access. It is not enabled by >> default. > > OK. But it's still there taking up RAM, and (more importantly) makes a > systemd system a broader target for attacks. Whether a system has an > http server (or, for that matter, an SSH server), for whatever purpose, > should be for the system administrator to decide. I suspect this isn't > the case for systemd's http server. > > In any case, I don't want an http server on my system: I have no http to > serve. I installed sshd as one of the first things on my new system, to > facilitate the transfer of files to it (and, probably, reading logs from > it remotely). I don't use systemd on Gentoo but I assume that there's a USE flag for the http server, because, in binary distributions, this http server's in a standalone package - "systemd-journal-remote" on Ubuntu and "systemd-journal-gateway" on RHEL and clones. > I don't want a binary logging daemon either: that means having to learn > a special purpose utility to be able to read its logs, and, in general, > not being able to read that log from a remote machine. You can set "Storage=none" and "ForwardToSyslog=yes" in "/etc/systemd/journald.conf", install and enable rsyslog and you won't have binary logs when running systemd.
