On 2020-02-11 09:34, ronp...@riseup.net wrote: > I've been reading a blog from the renowned Daniel Aleksandersen at > https://www.ctrl.blog/entry/systemd-service-hardening.html > > The output from a Debian-10 based Appvm looks a little scary!! Should I > be concerned? > > user@tmp3:~$ systemd-analyze security > UNIT EXPOSURE PREDICATE HAPPY > ModemManager.service 5.6 MEDIUM 😐 > NetworkManager.service 7.6 EXPOSED 🙁 > avahi-daemon.service 9.5 UNSAFE 😨 > cron.service 9.5 UNSAFE 😨 > cups-browsed.service 9.5 UNSAFE 😨 > cups.service 9.5 UNSAFE 😨 > dbus.service 9.5 UNSAFE 😨 > dm-event.service 9.5 UNSAFE 😨 > emergency.service 9.5 UNSAFE 😨 > exim4.service 9.5 UNSAFE 😨 > getty@tty1.service 9.5 UNSAFE 😨 > haveged.service 5.6 MEDIUM 😐 > lvm2-lvmpolld.service 9.5 UNSAFE 😨 > polkit.service 9.5 UNSAFE 😨 > qubes-db.service 9.5 UNSAFE 😨 > qubes-firewall.service 9.5 UNSAFE 😨 > qubes-gui-agent.service 9.5 UNSAFE 😨 > qubes-meminfo-writer.service 9.5 UNSAFE 😨 > qubes-qrexec-agent.service 9.5 UNSAFE 😨 > qubes-sync-time.service 9.5 UNSAFE 😨 > qubes-updates-proxy.service 9.5 UNSAFE 😨 > rc-local.service 9.5 UNSAFE 😨 > > rescue.service 9.5 UNSAFE 😨 > rsyslog.service 9.5 UNSAFE 😨 > rtkit-daemon.service 6.9 MEDIUM 😐 > serial-getty@hvc0.service 9.5 UNSAFE 😨 > systemd-ask-password-console.service 9.3 UNSAFE 😨 > systemd-ask-password-wall.service 9.3 UNSAFE 😨 > systemd-fsckd.service 9.5 UNSAFE 😨 > systemd-initctl.service 9.3 UNSAFE 😨 > systemd-journald.service 4.3 OK 🙂 > systemd-logind.service 4.1 OK 🙂 > systemd-networkd.service 2.8 OK 🙂 > systemd-timesyncd.service 2.0 OK 🙂 > systemd-udevd.service 8.3 EXPOSED 🙁 > tinyproxy.service 8.7 EXPOSED 🙁 > udisks2.service 9.5 UNSAFE 😨 > user@1000.service 9.1 UNSAFE 😨 > wpa_supplicant.service 9.5 UNSAFE 😨 > xendriverdomain.service 9.5 UNSAFE 😨
Thanks all for taking time out to respond to this issue. I have to say I'm still confused as to whether its a "scary" issue or just a bug in the tool "systemd-analyze security". I spotted this from Whonix https://forums.whonix.org/t/using-apparmor-profile-everything-on-debian-buster/8650 - which if I'm not mistaken, claims to utilise a tool; apparmor-profile-everything, to confine, amongst other things, the systemd init process and and children it spawns. I thought I'd give it a try and see if it gave less scary results! Here's the feedback: Although Apparmor security feature is enabled by default in Debian Buster (10), it is not, for some inexplicable reason, enabled by default in the Qubes version of Debian-10. To enable it, issue the command in Dom0; qvm-prefs -s <template name> "nopat apparmor=1 security=apparmor". Then follow the link above to install apparmor-profile-everything. Also install apparmor-utils. Check if apparmor is running ok: user@sysemd-test:~$ sudo aa-status apparmor module is loaded. 18 profiles are loaded. 18 profiles are in enforce mode. /**/*-browser/Browser/firefox /usr/bin/apt-get /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince//sanitized_helper /usr/bin/man /usr/lib/cups/backend/cups-pdf /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/haveged init-systemd man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod 0 profiles are in complain mode. 3 processes have profiles defined. 3 processes are in enforce mode. /usr/sbin/cups-browsed (551) /usr/sbin/cupsd (488) /usr/sbin/haveged (481) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. We see that the systemd init is loaded and in enforce mode! However The output from the tool systemd-analyze security still gives scary results. Is this what you professional developers would expect? user@sysemd-test:~$ systemd-analyze security UNIT EXPOSURE PREDICATE HAPPY ModemManager.service 5.6 MEDIUM 😐 NetworkManager.service 7.6 EXPOSED 🙁 avahi-daemon.service 9.5 UNSAFE 😨 cron.service 9.5 UNSAFE 😨 cups-browsed.service 9.5 UNSAFE 😨 cups.service 9.5 UNSAFE 😨 dbus.service 9.5 UNSAFE 😨 dm-event.service 9.5 UNSAFE 😨 emergency.service 9.5 UNSAFE 😨 exim4.service 9.5 UNSAFE 😨 getty@tty1.service 9.5 UNSAFE 😨 haveged.service 5.6 MEDIUM 😐 lvm2-lvmpolld.service 9.5 UNSAFE 😨 polkit.service 9.5 UNSAFE 😨 qubes-db.service 9.5 UNSAFE 😨 qubes-firewall.service 9.5 UNSAFE 😨 qubes-gui-agent.service 9.5 UNSAFE 😨 qubes-meminfo-writer.service 9.5 UNSAFE 😨 qubes-qrexec-agent.service 9.5 UNSAFE 😨 qubes-sync-time.service 9.5 UNSAFE 😨 qubes-updates-proxy.service 9.5 UNSAFE 😨 rc-local.service 9.5 UNSAFE 😨 rescue.service 9.5 UNSAFE 😨 rsyslog.service 9.5 UNSAFE 😨 rtkit-daemon.service 6.9 MEDIUM 😐 serial-getty@hvc0.service 9.5 UNSAFE 😨 systemd-ask-password-console.service 9.3 UNSAFE 😨 systemd-ask-password-wall.service 9.3 UNSAFE 😨 systemd-fsckd.service 9.5 UNSAFE 😨 systemd-initctl.service 9.3 UNSAFE 😨 systemd-journald.service 4.3 OK 🙂 systemd-logind.service 4.1 OK 🙂 systemd-networkd.service 2.8 OK 🙂 systemd-timesyncd.service 2.0 OK 🙂 systemd-udevd.service 8.3 EXPOSED 🙁 tinyproxy.service 8.7 EXPOSED 🙁 udisks2.service 9.5 UNSAFE 😨 user@1000.service 9.1 UNSAFE 😨 wpa_supplicant.service 9.5 UNSAFE 😨 xendriverdomain.service 9.5 UNSAFE 😨 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/25f6320ab349d58c177c6cc1657796c3%40riseup.net.