Skip to content

priv-kweihmann/systemdlint

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

systemdlint

Build status PyPI version Python version Downloads

Systemd Unitfile Linter

Usage

usage: systemdlint [-h] [--nodropins] [--rootpath ROOTPATH] [--sversion SVERSION] [--output OUTPUT] [--norootfs] files [files ...]

Systemd Unitfile Linter

positional arguments:
  files                Files to parse

optional arguments:
  -h, --help           show this help message and exit
  --nodropins          Ignore Drop-Ins for parsing
  --rootpath ROOTPATH  Root path
  --sversion SVERSION  Version of Systemd to be used
  --output OUTPUT      Where to flush the findings (default: stderr)
  --norootfs           Run only unit file related tests

Why should I use it?

Surely you can use systemd-analyze verify [unitname] to validate your units - no problem and it's the recommended way if you writing units for the system you are currently running on. Unfortunately systemd doesn't offer a validation which doesn't require an already running version of systemd you want to validate against.

This tool was initially created to check units in cross-compiled embedded images at build time, where you can't run a copy of systemd (as it's cross-compiled). As a consequence it doesn't use any systemd code and might interpret some settings differently than systemd itself - as with every linter take the outcomes as a basis for further analysis. Also keep in mind, that systemd does create a larger stack of runtime files, which are not taken into account by the tool - same for kernel related information like /dev, /sys or /proc entries.

Furthermore the tool gives you advice how your unit files could be hardened.

Installation

PyPi

simply run

pip3 install systemdlint

From source

  • Install the needed requirements by running pip3 install systemdunitparser anytree
  • git clone this repository
  • cd to <clone folder>/systemdlint
  • run sudo ./build.sh

Output

The tool will return

{file}:{line}:{severity} [{id}] - {message}

example:

/lib/systemd/system/console-shell.service:18:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported
/lib/systemd/system/plymouth-halt.service:11:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported
/lib/systemd/system/systemd-ask-password-console.service:12:warning [ReferencedUnitNotFound] - The Unit 'systemd-vconsole-setup.service' referenced was not found in filesystem
/lib/systemd/system/basic.target:19:warning [ReferencedUnitNotFound] - The Unit 'tmp.mount' referenced was not found in filesystem

The output format is configurable with --messageformat, for example:

systemdlint --messageformat='{path}:{line}:{severity}:{msg}' ...

Detectable Errors

  • ConflictingOptions - The set option somehow is in conflict with another unit
  • ErrorCyclicDependency - Unit creates a cyclic dependency
  • ExecNotFound - The referenced executable was not found on system
  • FullPrivileges - An executable is run with full privileges
  • InvalidNumericBase - A numeric value doesn't match because it needs to be a multiple of X
  • InvalidSetting - The option doesn't match the section
  • InvalidValue - An invalid value is set
  • MandatoryOptionMissing - A mandatory option was missing in the file
  • Multiplicity - The option is not valid for the given amount of options in this context
  • NoExecutable - The referenced executable is NOT executable
  • NoFailureCheck - An executable is run without checking for failures
  • OptionDeprecated - The used option is not available anymore in this version
  • OptionTooNew - The used option will be available in a later version than used
  • ReferencedUnitNotFound - The unit referenced was not found in system
  • Security.@clock - SystemCallFilter shouldn't contain @clock
  • Security.@cpu-emulation - SystemCallFilter shouldn't contain @cpu-emulation
  • Security.@debug - SystemCallFilter shouldn't contain @debug
  • Security.@module - SystemCallFilter shouldn't contain @module
  • Security.@mount - SystemCallFilter shouldn't contain @mount
  • Security.@obsolete - SystemCallFilter shouldn't contain @obsolete
  • Security.@privileged - SystemCallFilter shouldn't contain @privileged
  • Security.@raw-io - SystemCallFilter shouldn't contain @raw-io
  • Security.@reboot - SystemCallFilter shouldn't contain @reboot
  • Security.@resources - SystemCallFilter shouldn't contain @resources
  • Security.@swap - SystemCallFilter shouldn't contain @swap
  • Security.AF_INET - RestrictAddressFamilies shouldn't contain AF_INET
  • Security.AF_INET6 - RestrictAddressFamilies shouldn't contain AF_INET6
  • Security.AF_NETLINK - RestrictAddressFamilies shouldn't contain AF_NETLINK
  • Security.AF_PACKET - RestrictAddressFamilies shouldn't contain AF_PACKET
  • Security.AF_UNIX - RestrictAddressFamilies shouldn't contain AF_UNIX
  • Security.CAP_AUDIT_CONTROL - CapabilityBoundingSet shouldn't contain CAP_AUDIT_CONTROL
  • Security.CAP_AUDIT_READ - CapabilityBoundingSet shouldn't contain CAP_AUDIT_READ
  • Security.CAP_AUDIT_WRITE - CapabilityBoundingSet shouldn't contain CAP_AUDIT_WRITE
  • Security.CAP_BLOCK_SUSPEND - CapabilityBoundingSet shouldn't contain CAP_BLOCK_SUSPEND
  • Security.CAP_CHOWN - CapabilityBoundingSet shouldn't contain CAP_CHOWN
  • Security.CAP_DAC_OVERRIDE - CapabilityBoundingSet shouldn't contain CAP_DAC_OVERRIDE
  • Security.CAP_DAC_READ_SEARCH - CapabilityBoundingSet shouldn't contain CAP_DAC_READ_SEARCH
  • Security.CAP_FOWNER - CapabilityBoundingSet shouldn't contain CAP_FOWNER
  • Security.CAP_FSETID - CapabilityBoundingSet shouldn't contain CAP_FSETID
  • Security.CAP_IPC_LOCK - CapabilityBoundingSet shouldn't contain CAP_IPC_LOCK
  • Security.CAP_IPC_OWNER - CapabilityBoundingSet shouldn't contain CAP_IPC_OWNER
  • Security.CAP_KILL - CapabilityBoundingSet shouldn't contain CAP_KILL
  • Security.CAP_LEASE - CapabilityBoundingSet shouldn't contain CAP_LEASE
  • Security.CAP_LINUX_IMMUTABLE - CapabilityBoundingSet shouldn't contain CAP_LINUX_IMMUTABLE
  • Security.CAP_MAC_ADMIN - CapabilityBoundingSet shouldn't contain CAP_MAC_ADMIN
  • Security.CAP_MAC_OVERRIDE - CapabilityBoundingSet shouldn't contain CAP_MAC_OVERRIDE
  • Security.CAP_MKNOD - CapabilityBoundingSet shouldn't contain CAP_MKNOD
  • Security.CAP_NET_ADMIN - CapabilityBoundingSet shouldn't contain CAP_NET_ADMIN
  • Security.CAP_NET_BIND_SERVICE - CapabilityBoundingSet shouldn't contain CAP_NET_BIND_SERVICE
  • Security.CAP_NET_BROADCAST - CapabilityBoundingSet shouldn't contain CAP_NET_BROADCAST
  • Security.CAP_NET_RAW - CapabilityBoundingSet shouldn't contain CAP_NET_RAW
  • Security.CAP_RAWIO - CapabilityBoundingSet shouldn't contain CAP_RAWIO
  • Security.CAP_SETFCAP - CapabilityBoundingSet shouldn't contain CAP_SETFCAP
  • Security.CAP_SETGID - CapabilityBoundingSet shouldn't contain CAP_SETGID
  • Security.CAP_SETPCAP - CapabilityBoundingSet shouldn't contain CAP_SETPCAP
  • Security.CAP_SETUID - CapabilityBoundingSet shouldn't contain CAP_SETUID
  • Security.CAP_SYS_ADMIN - CapabilityBoundingSet shouldn't contain CAP_SYS_ADMIN
  • Security.CAP_SYS_BOOT - CapabilityBoundingSet shouldn't contain CAP_SYS_BOOT
  • Security.CAP_SYS_CHROOT - CapabilityBoundingSet shouldn't contain CAP_SYS_CHROOT
  • Security.CAP_SYS_MODULE - CapabilityBoundingSet shouldn't contain CAP_SYS_MODULE
  • Security.CAP_SYS_NICE - CapabilityBoundingSet shouldn't contain CAP_SYS_NICE
  • Security.CAP_SYS_PACCT - CapabilityBoundingSet shouldn't contain CAP_SYS_PACCT
  • Security.CAP_SYS_PTRACE - CapabilityBoundingSet shouldn't contain CAP_SYS_PTRACE
  • Security.CAP_SYS_RESOURCE - CapabilityBoundingSet shouldn't contain CAP_SYS_RESOURCE
  • Security.CAP_SYS_TIME - CapabilityBoundingSet shouldn't contain CAP_SYS_TIME
  • Security.CAP_SYS_TTY_CONFIG - CapabilityBoundingSet shouldn't contain CAP_SYS_TTY_CONFIG
  • Security.CAP_SYSLOG - CapabilityBoundingSet shouldn't contain CAP_SYSLOG
  • Security.CAP_WAKE_ALARM - CapabilityBoundingSet shouldn't contain CAP_WAKE_ALARM
  • Security.CLONE_NEWCGROUP - RestrictNamespaces shouldn't contain CLONE_NEWCGROUP
  • Security.CLONE_NEWIPC - RestrictNamespaces shouldn't contain CLONE_NEWIPC
  • Security.CLONE_NEWNET - RestrictNamespaces shouldn't contain CLONE_NEWNET
  • Security.CLONE_NEWNS - RestrictNamespaces shouldn't contain CLONE_NEWNS
  • Security.CLONE_NEWPID - RestrictNamespaces shouldn't contain CLONE_NEWPID
  • Security.CLONE_NEWUSER - RestrictNamespaces shouldn't contain CLONE_NEWUSER
  • Security.CLONE_NEWUTS - RestrictNamespaces shouldn't contain CLONE_NEWUTS
  • Security.Delegate - Delegate shall be set to yes
  • Security.DevicePolicy - DevicePolicy should be set to closed
  • Security.IPAddressDenyNA - IPAddressDeny shall be set
  • Security.KeyringModeNA - KeyringMode shall be set
  • Security.KeyringModeNPriv - KeyringMode shall be set to private
  • Security.LockPersonality - LockPersonality shall be set to yes
  • Security.MemoryDenyWriteExecute - MemoryDenyWriteExecute shall be set to yes
  • Security.NoNewPrivileges - NoNewPrivileges shall be set to yes
  • Security.NotifyAccess - NotifyAccess=all should be avoided
  • Security.NoUser - No user is set for the service
  • Security.PrivateDevices - PrivateDevices shall be set to yes
  • Security.PrivateMounts - PrivateMounts shall be set to yes
  • Security.PrivateNetwork - PrivateNetwork shall be set to yes
  • Security.PrivateTmp - PrivateTmp shall be set to yes
  • Security.PrivateUsers - PrivateUsers shall be set to yes
  • Security.ProtectClock - ProtectClock shall be set to yes
  • Security.ProtectControlGroups - ProtectControlGroups shall be set to yes
  • Security.ProtectHomeNA - ProtectHome shall be set
  • Security.ProtectHomeOff - ProtectHome shall be set to yes
  • Security.ProtectHostname - ProtectHostname shall be set to yes
  • Security.ProtectKernelLogs - ProtectKernelLogs shall be set to yes
  • Security.ProtectKernelModules - ProtectKernelModules shall be set to yes
  • Security.ProtectKernelTunables - ProtectKernelTunables shall be set to yes
  • Security.ProtectSystemNA - ProtectSystem shall be set
  • Security.ProtectSystemNStrict - ProtectSystem shall be set to strict
  • Security.RemoveIPC - RemoveIPC should be activated
  • Security.RestrictRealtime - RestrictRealtime shall be set to yes
  • Security.RestrictSUIDSGID - RestrictSUIDSGID shall be set to yes
  • Security.RootDirectory - RootDirectory or RootImage shall be set to a non-root path
  • Security.SupplementaryGroups - SupplementaryGroups shall be avoided
  • Security.SystemCallArchitecturesMult - SystemCallArchitectures shouldn't be set for multiple archs
  • Security.SystemCallArchitecturesNA - SystemCallArchitectures shall be set
  • Security.UMaskGR - Files created by service are group-readbale
  • Security.UMaskGW - Files created by service are group-writeable
  • Security.UMaskOR - Files created by service are world-readbale
  • Security.UMaskOW - Files created by service are world-writeable
  • Security.UserNobody - User nobody is set for the service
  • Security.UserRoot - User root is set for the service
  • SettingRequires - The option requires another option to be set
  • SettingRestricted - The option can't be set due to another option
  • SyntaxError - The file is not parsable
  • UnitSectionMissing - The Unit-section is missing in the file
  • UnknownUnitType - The file extension of the file is not a known systemd one
  • WrongFileMask - The file has a risky filemode set

vscode extension

Find the extension in the marketplace, or search for systemdlint-vscode