On Tue, Feb 11, 2020 at 01:34:15AM -0800, [email protected] wrote: > I've been reading a blog from the renowned Daniel Aleksandersen at > https://www.ctrl.blog/entry/systemd-service-hardening.html > > The output from a Debian-10 based Appvm looks a little scary!! Should I > be concerned? > > user@tmp3:~$ systemd-analyze security > UNIT EXPOSURE PREDICATE HAPPY > ModemManager.service 5.6 MEDIUM ???? > NetworkManager.service 7.6 EXPOSED ???? > avahi-daemon.service 9.5 UNSAFE ???? > cron.service 9.5 UNSAFE ???? > cups-browsed.service 9.5 UNSAFE ???? > cups.service 9.5 UNSAFE ???? > dbus.service 9.5 UNSAFE ???? > dm-event.service 9.5 UNSAFE ???? > emergency.service 9.5 UNSAFE ???? > exim4.service 9.5 UNSAFE ???? > [email protected] 9.5 UNSAFE ???? > haveged.service 5.6 MEDIUM ???? > lvm2-lvmpolld.service 9.5 UNSAFE ???? > polkit.service 9.5 UNSAFE ???? > qubes-db.service 9.5 UNSAFE ???? > qubes-firewall.service 9.5 UNSAFE ???? > qubes-gui-agent.service 9.5 UNSAFE ???? > qubes-meminfo-writer.service 9.5 UNSAFE ???? > qubes-qrexec-agent.service 9.5 UNSAFE ???? > qubes-sync-time.service 9.5 UNSAFE ???? > qubes-updates-proxy.service 9.5 UNSAFE ???? > rc-local.service 9.5 UNSAFE ???? > > rescue.service 9.5 UNSAFE ???? > rsyslog.service 9.5 UNSAFE ???? > rtkit-daemon.service 6.9 MEDIUM ???? > [email protected] 9.5 UNSAFE ???? > systemd-ask-password-console.service 9.3 UNSAFE ???? > systemd-ask-password-wall.service 9.3 UNSAFE ???? > systemd-fsckd.service 9.5 UNSAFE ???? > systemd-initctl.service 9.3 UNSAFE ???? > systemd-journald.service 4.3 OK ???? > systemd-logind.service 4.1 OK ???? > systemd-networkd.service 2.8 OK ???? > systemd-timesyncd.service 2.0 OK ???? > systemd-udevd.service 8.3 EXPOSED ???? > tinyproxy.service 8.7 EXPOSED ???? > udisks2.service 9.5 UNSAFE ???? > [email protected] 9.1 UNSAFE ???? > wpa_supplicant.service 9.5 UNSAFE ???? > xendriverdomain.service 9.5 UNSAFE ???? >
It does look scary. The output from a Fedora based qube looks much the same.. You should run the analysis against each service and see where you think they could be hardened. Post back your conclusions here. Also, I see that you have many services that need not be there - some of these will be disabled by Qubes- some you do not need in every qube (cups-browsed, exim4, tinyproxy etc). You need to review what services you are running, and disable those you do not want. My list in an ordinary qube looks rather different from yours. Those are steps you should be taking in any case. Also, bear in mind that the analysis doesn't take in to account any security features in the programs themselves, or other mitigations. So you need to do a good deal more work before reaching any conclusions about your system. Look forward to hearing from you unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200211113938.GA16932%40thirdeyesecurity.org.
