1 <?xml version='
1.0'
?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC
"-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
4 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
6 <refentry id=
"systemd-analyze" conditional='ENABLE_ANALYZE'
7 xmlns:
xi=
"http://www.w3.org/2001/XInclude">
10 <title>systemd-analyze
</title>
11 <productname>systemd
</productname>
15 <refentrytitle>systemd-analyze
</refentrytitle>
16 <manvolnum>1</manvolnum>
20 <refname>systemd-analyze
</refname>
21 <refpurpose>Analyze and debug system manager
</refpurpose>
26 <command>systemd-analyze
</command>
27 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
31 <command>systemd-analyze
</command>
32 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
33 <arg choice=
"plain">blame
</arg>
36 <command>systemd-analyze
</command>
37 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
38 <arg choice=
"plain">critical-chain
</arg>
39 <arg choice=
"opt" rep=
"repeat"><replaceable>UNIT
</replaceable></arg>
43 <command>systemd-analyze
</command>
44 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
45 <arg choice=
"plain">dump
</arg>
46 <arg choice=
"opt" rep=
"repeat"><replaceable>PATTERN
</replaceable></arg>
50 <command>systemd-analyze
</command>
51 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
52 <arg choice=
"plain">plot
</arg>
53 <arg choice=
"opt">>file.svg
</arg>
56 <command>systemd-analyze
</command>
57 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
58 <arg choice=
"plain">dot
</arg>
59 <arg choice=
"opt" rep=
"repeat"><replaceable>PATTERN
</replaceable></arg>
60 <arg choice=
"opt">>file.dot
</arg>
64 <command>systemd-analyze
</command>
65 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
66 <arg choice=
"plain">unit-files
</arg>
69 <command>systemd-analyze
</command>
70 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
71 <arg choice=
"plain">unit-paths
</arg>
74 <command>systemd-analyze
</command>
75 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
76 <arg choice=
"plain">exit-status
</arg>
77 <arg choice=
"opt" rep=
"repeat"><replaceable>STATUS
</replaceable></arg>
80 <command>systemd-analyze
</command>
81 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
82 <arg choice=
"plain">capability
</arg>
83 <arg choice=
"opt" rep=
"repeat"><replaceable>CAPABILITY
</replaceable></arg>
86 <command>systemd-analyze
</command>
87 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
88 <arg choice=
"plain">condition
</arg>
89 <arg choice=
"plain"><replaceable>CONDITION
</replaceable>…
</arg>
92 <command>systemd-analyze
</command>
93 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
94 <arg choice=
"plain">syscall-filter
</arg>
95 <arg choice=
"opt"><replaceable>SET
</replaceable>…
</arg>
98 <command>systemd-analyze
</command>
99 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
100 <arg choice=
"plain">filesystems
</arg>
101 <arg choice=
"opt"><replaceable>SET
</replaceable>…
</arg>
104 <command>systemd-analyze
</command>
105 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
106 <arg choice=
"plain">calendar
</arg>
107 <arg choice=
"plain" rep=
"repeat"><replaceable>SPEC
</replaceable></arg>
110 <command>systemd-analyze
</command>
111 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
112 <arg choice=
"plain">timestamp
</arg>
113 <arg choice=
"plain" rep=
"repeat"><replaceable>TIMESTAMP
</replaceable></arg>
116 <command>systemd-analyze
</command>
117 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
118 <arg choice=
"plain">timespan
</arg>
119 <arg choice=
"plain" rep=
"repeat"><replaceable>SPAN
</replaceable></arg>
122 <command>systemd-analyze
</command>
123 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
124 <arg choice=
"plain">cat-config
</arg>
125 <arg choice=
"plain" rep=
"repeat"><replaceable>NAME
</replaceable>|
<replaceable>PATH
</replaceable></arg>
128 <command>systemd-analyze
</command>
129 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
130 <arg choice=
"plain">compare-versions
</arg>
131 <arg choice=
"plain"><replaceable>VERSION1
</replaceable></arg>
132 <arg choice=
"opt"><replaceable>OP
</replaceable></arg>
133 <arg choice=
"plain"><replaceable>VERSION2
</replaceable></arg>
136 <command>systemd-analyze
</command>
137 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
138 <arg choice=
"plain">verify
</arg>
139 <arg choice=
"opt" rep=
"repeat"><replaceable>FILE
</replaceable></arg>
142 <command>systemd-analyze
</command>
143 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
144 <arg choice=
"plain">security
</arg>
145 <arg choice=
"plain" rep=
"repeat"><replaceable>UNIT
</replaceable></arg>
148 <command>systemd-analyze
</command>
149 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
150 <arg choice=
"plain">inspect-elf
</arg>
151 <arg choice=
"plain" rep=
"repeat"><replaceable>FILE
</replaceable></arg>
154 <command>systemd-analyze
</command>
155 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
156 <arg choice=
"plain">malloc
</arg>
157 <arg choice=
"opt" rep=
"repeat"><replaceable>D-BUS SERVICE
</replaceable></arg>
160 <command>systemd-analyze
</command>
161 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
162 <arg choice=
"plain">fdstore
</arg>
163 <arg choice=
"opt" rep=
"repeat"><replaceable>UNIT
</replaceable></arg>
166 <command>systemd-analyze
</command>
167 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
168 <arg choice=
"plain">image-policy
</arg>
169 <arg choice=
"plain" rep=
"repeat"><replaceable>POLICY
</replaceable></arg>
172 <command>systemd-analyze
</command>
173 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
174 <arg choice=
"plain">pcrs
</arg>
175 <arg choice=
"opt" rep=
"repeat"><replaceable>PCR
</replaceable></arg>
178 <command>systemd-analyze
</command>
179 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
180 <arg choice=
"plain">srk
</arg>
183 <command>systemd-analyze
</command>
184 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
185 <arg choice=
"plain">architectures
</arg>
186 <arg choice=
"opt" rep=
"repeat"><replaceable>NAME
</replaceable></arg>
191 <title>Description
</title>
193 <para><command>systemd-analyze
</command> may be used to determine
194 system boot-up performance statistics and retrieve other state and
195 tracing information from the system and service manager, and to
196 verify the correctness of unit files. It is also used to access
197 special functions useful for advanced system manager debugging.
</para>
199 <para>If no command is passed,
<command>systemd-analyze
200 time
</command> is implied.
</para>
203 <title><command>systemd-analyze time
</command></title>
205 <para>This command prints the time spent in the kernel before userspace has been reached, the time
206 spent in the initrd before normal system userspace has been reached, and the time normal system
207 userspace took to initialize. Note that these measurements simply measure the time passed up to the
208 point where all system services have been spawned, but not necessarily until they fully finished
209 initialization or the disk is idle.
</para>
212 <title><command>Show how long the boot took
</command></title>
214 <programlisting># in a container
215 $ systemd-analyze time
216 Startup finished in
296ms (userspace)
217 multi-user.target reached after
275ms in userspace
220 $ systemd-analyze time
221 Startup finished in
2.584s (kernel) +
19.176s (initrd) +
47.847s (userspace) =
1min
9.608s
222 multi-user.target reached after
47.820s in userspace
228 <title><command>systemd-analyze blame
</command></title>
230 <para>This command prints a list of all running units, ordered by the time they took to initialize.
231 This information may be used to optimize boot-up times. Note that the output might be misleading as the
232 initialization of one service might be slow simply because it waits for the initialization of another
233 service to complete. Also note:
<command>systemd-analyze blame
</command> doesn't display results for
234 services with
<varname>Type=simple
</varname>, because systemd considers such services to be started
235 immediately, hence no measurement of the initialization delays can be done. Also note that this command
236 only shows the time units took for starting up, it does not show how long unit jobs spent in the
237 execution queue. In particular it shows the time units spent in
<literal>activating
</literal> state,
238 which is not defined for units such as device units that transition directly from
239 <literal>inactive
</literal> to
<literal>active
</literal>. This command hence gives an impression of the
240 performance of program code, but cannot accurately reflect latency introduced by waiting for
241 hardware and similar events.
</para>
244 <title><command>Show which units took the most time during boot
</command></title>
246 <programlisting>$ systemd-analyze blame
247 32.875s pmlogger.service
248 20.905s systemd-networkd-wait-online.service
249 13.299s dev-vda1.device
252 11ms initrd-udevadm-cleanup-db.service
253 3ms sys-kernel-config.mount
259 <title><command>systemd-analyze critical-chain
<optional><replaceable>UNIT
</replaceable>...
</optional></command></title>
261 <para>This command prints a tree of the time-critical chain of units (for each of the specified
262 <replaceable>UNIT
</replaceable>s or for the default target otherwise). The time after the unit is
263 active or started is printed after the
"@" character. The time the unit takes to start is printed after
264 the
"+" character. Note that the output might be misleading as the initialization of services might
265 depend on socket activation and because of the parallel execution of units. Also, similarly to the
266 <command>blame
</command> command, this only takes into account the time units spent in
267 <literal>activating
</literal> state, and hence does not cover units that never went through an
268 <literal>activating
</literal> state (such as device units that transition directly from
269 <literal>inactive
</literal> to
<literal>active
</literal>). Moreover it does not show information on
270 jobs (and in particular not jobs that timed out).
</para>
273 <title><command>systemd-analyze critical-chain
</command></title>
275 <programlisting>$ systemd-analyze critical-chain
276 multi-user.target @
47.820s
277 └─pmie.service @
35.968s +
548ms
278 └─pmcd.service @
33.715s +
2.247s
279 └─network-online.target @
33.712s
280 └─systemd-networkd-wait-online.service @
12.804s +
20.905s
281 └─systemd-networkd.service @
11.109s +
1.690s
282 └─systemd-udevd.service @
9.201s +
1.904s
283 └─systemd-tmpfiles-setup-dev.service @
7.306s +
1.776s
284 └─kmod-static-nodes.service @
6.976s +
177ms
285 └─systemd-journald.socket
293 <title><command>systemd-analyze dump [
<replaceable>pattern
</replaceable>…]
</command></title>
295 <para>Without any parameter, this command outputs a (usually very long) human-readable serialization of
296 the complete service manager state. Optional glob pattern may be specified, causing the output to be
297 limited to units whose names match one of the patterns. The output format is subject to change without
298 notice and should not be parsed by applications. This command is rate limited for unprivileged users.
</para>
301 <title>Show the internal state of user manager
</title>
303 <programlisting>$ systemd-analyze --user dump
304 Timestamp userspace: Thu
2019-
03-
14 23:
28:
07 CET
305 Timestamp finish: Thu
2019-
03-
14 23:
28:
07 CET
306 Timestamp generators-start: Thu
2019-
03-
14 23:
28:
07 CET
307 Timestamp generators-finish: Thu
2019-
03-
14 23:
28:
07 CET
308 Timestamp units-load-start: Thu
2019-
03-
14 23:
28:
07 CET
309 Timestamp units-load-finish: Thu
2019-
03-
14 23:
28:
07 CET
310 -
> Unit proc-timer_list.mount:
311 Description: /proc/timer_list
313 -
> Unit default.target:
314 Description: Main user target
321 <title><command>systemd-analyze malloc [
<replaceable>D-Bus service
</replaceable>…]
</command></title>
323 <para>This command can be used to request the output of the internal memory state (as returned by
324 <citerefentry project='man-pages'
><refentrytitle>malloc_info
</refentrytitle><manvolnum>3</manvolnum></citerefentry>)
325 of a D-Bus service. If no service is specified, the query will be sent to
326 <filename>org.freedesktop.systemd1
</filename> (the system or user service manager). The output format
327 is not guaranteed to be stable and should not be parsed by applications.
</para>
329 <para>The service must implement the
<filename>org.freedesktop.MemoryAllocation1
</filename> interface.
330 In the systemd suite, it is currently only implemented by the manager.
</para>
334 <title><command>systemd-analyze plot
</command></title>
336 <para>This command prints either an SVG graphic, detailing which system services have been started at what
337 time, highlighting the time they spent on initialization, or the raw time data in JSON or table format.
</para>
340 <title><command>Plot a bootchart
</command></title>
342 <programlisting>$ systemd-analyze plot
>bootup.svg
343 $ eog bootup.svg
&
347 <para>Note that this plot is based on the most recent per-unit timing data of loaded units. This means
348 that if a unit gets started, then stopped and then started again the information shown will cover the
349 most recent start cycle, not the first one. Thus it's recommended to consult this information only
350 shortly after boot, so that this distinction doesn't matter. Moreover, units that are not referenced by
351 any other unit through a dependency might be unloaded by the service manager once they terminate (and
352 did not fail). Such units will not show up in the plot.
</para>
356 <title><command>systemd-analyze dot [
<replaceable>pattern
</replaceable>...]
</command></title>
358 <para>This command generates textual dependency graph description in dot format for further processing
360 <citerefentry project='die-net'
><refentrytitle>dot
</refentrytitle><manvolnum>1</manvolnum></citerefentry>
361 tool. Use a command line like
<command>systemd-analyze dot | dot -Tsvg
>systemd.svg
</command> to
362 generate a graphical dependency tree. Unless
<option>--order
</option> or
<option>--require
</option> is
363 passed, the generated graph will show both ordering and requirement dependencies. Optional pattern
364 globbing style specifications (e.g.
<filename>*.target
</filename>) may be given at the end. A unit
365 dependency is included in the graph if any of these patterns match either the origin or destination
369 <title>Plot all dependencies of any unit whose name starts with
<literal>avahi-daemon
</literal>
372 <programlisting>$ systemd-analyze dot 'avahi-daemon.*' | dot -Tsvg
>avahi.svg
373 $ eog avahi.svg
</programlisting>
377 <title>Plot the dependencies between all known target units
</title>
379 <programlisting>$ systemd-analyze dot --to-pattern='*.target' --from-pattern='*.target' \
380 | dot -Tsvg
>targets.svg
381 $ eog targets.svg
</programlisting>
386 <title><command>systemd-analyze unit-paths
</command></title>
388 <para>This command outputs a list of all directories from which unit files,
<filename>.d
</filename>
389 overrides, and
<filename>.wants
</filename>,
<filename>.requires
</filename> symlinks may be
390 loaded. Combine with
<option>--user
</option> to retrieve the list for the user manager instance, and
391 <option>--global
</option> for the global configuration of user manager instances.
</para>
394 <title><command>Show all paths for generated units
</command></title>
396 <programlisting>$ systemd-analyze unit-paths | grep '^/run'
397 /run/systemd/system.control
398 /run/systemd/transient
399 /run/systemd/generator.early
401 /run/systemd/system.attached
402 /run/systemd/generator
403 /run/systemd/generator.late
407 <para>Note that this verb prints the list that is compiled into
<command>systemd-analyze
</command>
408 itself, and does not communicate with the running manager. Use
409 <programlisting>systemctl [--user] [--global] show -p UnitPath --value
</programlisting>
410 to retrieve the actual list that the manager uses, with any empty directories omitted.
</para>
414 <title><command>systemd-analyze exit-status
<optional><replaceable>STATUS
</replaceable>...
</optional></command></title>
416 <para>This command prints a list of exit statuses along with their
"class", i.e. the source of the
417 definition (one of
<literal>glibc
</literal>,
<literal>systemd
</literal>,
<literal>LSB
</literal>, or
418 <literal>BSD
</literal>), see the Process Exit Codes section in
419 <citerefentry><refentrytitle>systemd.exec
</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
420 If no additional arguments are specified, all known statuses are shown. Otherwise, only the
421 definitions for the specified codes are shown.
</para>
424 <title><command>Show some example exit status names
</command></title>
426 <programlisting>$ systemd-analyze exit-status
0 1 {
63.
.65}
438 <title><command>systemd-analyze capability
<optional><replaceable>CAPABILITY
</replaceable>...
</optional></command></title>
440 <para>This command prints a list of Linux capabilities along with their numeric IDs. See
<citerefentry
441 project='man-pages'
><refentrytitle>capabilities
</refentrytitle><manvolnum>7</manvolnum></citerefentry>
442 for details. If no argument is specified the full list of capabilities known to the service manager and
443 the kernel is shown. Capabilities defined by the kernel but not known to the service manager are shown
444 as
<literal>cap_???
</literal>. Optionally, if arguments are specified they may refer to specific
445 cabilities by name or numeric ID, in which case only the indicated capabilities are shown in the
449 <title><command>Show some example capability names
</command></title>
451 <programlisting>$ systemd-analyze capability
0 1 {
30.
.32}
457 cap_mac_override
32</programlisting>
462 <title><command>systemd-analyze condition
<replaceable>CONDITION
</replaceable>...
</command></title>
464 <para>This command will evaluate
<varname index=
"false">Condition*=...
</varname> and
465 <varname index=
"false">Assert*=...
</varname> assignments, and print their values, and
466 the resulting value of the combined condition set. See
467 <citerefentry><refentrytitle>systemd.unit
</refentrytitle><manvolnum>5</manvolnum></citerefentry>
468 for a list of available conditions and asserts.
</para>
471 <title>Evaluate conditions that check kernel versions
</title>
473 <programlisting>$ systemd-analyze condition 'ConditionKernelVersion = !
<4.0' \
474 'ConditionKernelVersion =
>=
5.1' \
475 'ConditionACPower=|false' \
476 'ConditionArchitecture=|!arm' \
477 'AssertPathExists=/etc/os-release'
478 test.service: AssertPathExists=/etc/os-release succeeded.
480 test.service: ConditionArchitecture=|!arm succeeded.
481 test.service: ConditionACPower=|false failed.
482 test.service: ConditionKernelVersion=
>=
5.1 succeeded.
483 test.service: ConditionKernelVersion=!
<4.0 succeeded.
484 Conditions succeeded.
</programlisting>
489 <title><command>systemd-analyze syscall-filter
<optional><replaceable>SET
</replaceable>...
</optional></command></title>
491 <para>This command will list system calls contained in the specified system call set
492 <replaceable>SET
</replaceable>, or all known sets if no sets are specified. Argument
493 <replaceable>SET
</replaceable> must include the
<literal>@
</literal> prefix.
</para>
497 <title><command>systemd-analyze filesystems
<optional><replaceable>SET
</replaceable>...
</optional></command></title>
499 <para>This command will list filesystems in the specified filesystem set
500 <replaceable>SET
</replaceable>, or all known sets if no sets are specified. Argument
501 <replaceable>SET
</replaceable> must include the
<literal>@
</literal> prefix.
</para>
505 <title><command>systemd-analyze calendar
<replaceable>EXPRESSION
</replaceable>...
</command></title>
507 <para>This command will parse and normalize repetitive calendar time events, and will calculate when
508 they elapse next. This takes the same input as the
<varname>OnCalendar=
</varname> setting in
509 <citerefentry><refentrytitle>systemd.timer
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
510 following the syntax described in
511 <citerefentry><refentrytitle>systemd.time
</refentrytitle><manvolnum>7</manvolnum></citerefentry>. By
512 default, only the next time the calendar expression will elapse is shown; use
513 <option>--iterations=
</option> to show the specified number of next times the expression
514 elapses. Each time the expression elapses forms a timestamp, see the
<command>timestamp
</command>
518 <title>Show leap days in the near future
</title>
520 <programlisting>$ systemd-analyze calendar --iterations=
5 '*-
2-
29 0:
0:
0'
521 Original form: *-
2-
29 0:
0:
0
522 Normalized form: *-
02-
29 00:
00:
00
523 Next elapse: Sat
2020-
02-
29 00:
00:
00 UTC
524 From now:
11 months
15 days left
525 Iter. #
2: Thu
2024-
02-
29 00:
00:
00 UTC
526 From now:
4 years
11 months left
527 Iter. #
3: Tue
2028-
02-
29 00:
00:
00 UTC
528 From now:
8 years
11 months left
529 Iter. #
4: Sun
2032-
02-
29 00:
00:
00 UTC
530 From now:
12 years
11 months left
531 Iter. #
5: Fri
2036-
02-
29 00:
00:
00 UTC
532 From now:
16 years
11 months left
538 <title><command>systemd-analyze timestamp
<replaceable>TIMESTAMP
</replaceable>...
</command></title>
540 <para>This command parses a timestamp (i.e. a single point in time) and outputs the normalized form and
541 the difference between this timestamp and now. The timestamp should adhere to the syntax documented in
542 <citerefentry><refentrytitle>systemd.time
</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
543 section
"PARSING TIMESTAMPS".
</para>
546 <title>Show parsing of timestamps
</title>
548 <programlisting>$ systemd-analyze timestamp yesterday now tomorrow
549 Original form: yesterday
550 Normalized form: Mon
2019-
05-
20 00:
00:
00 CEST
551 (in UTC): Sun
2019-
05-
19 22:
00:
00 UTC
552 UNIX seconds: @
15583032000
553 From now:
1 day
9h ago
556 Normalized form: Tue
2019-
05-
21 09:
48:
39 CEST
557 (in UTC): Tue
2019-
05-
21 07:
48:
39 UTC
558 UNIX seconds: @
1558424919.659757
561 Original form: tomorrow
562 Normalized form: Wed
2019-
05-
22 00:
00:
00 CEST
563 (in UTC): Tue
2019-
05-
21 22:
00:
00 UTC
564 UNIX seconds: @
15584760000
571 <title><command>systemd-analyze timespan
<replaceable>EXPRESSION
</replaceable>...
</command></title>
573 <para>This command parses a time span (i.e. a difference between two timestamps) and outputs the
574 normalized form and the equivalent value in microseconds. The time span should adhere to the syntax
576 <citerefentry><refentrytitle>systemd.time
</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
577 section
"PARSING TIME SPANS". Values without units are parsed as seconds.
</para>
580 <title>Show parsing of timespans
</title>
582 <programlisting>$ systemd-analyze timespan
1s
300s '
1year
0.000001s'
591 Original:
1year
0.000001s
599 <title><command>systemd-analyze cat-config
</command>
600 <replaceable>NAME
</replaceable>|
<replaceable>PATH
</replaceable>...
</title>
602 <para>This command is similar to
<command>systemctl cat
</command>, but operates on config files. It
603 will copy the contents of a config file and any drop-ins to standard output, using the usual systemd
604 set of directories and rules for precedence. Each argument must be either an absolute path including
605 the prefix (such as
<filename>/etc/systemd/logind.conf
</filename> or
606 <filename>/usr/lib/systemd/logind.conf
</filename>), or a name relative to the prefix (such as
607 <filename>systemd/logind.conf
</filename>).
</para>
610 <title>Showing logind configuration
</title>
611 <programlisting>$ systemd-analyze cat-config systemd/logind.conf
612 # /etc/systemd/logind.conf
618 # /usr/lib/systemd/logind.conf.d/
20-test.conf
619 ... some override from another package
621 # /etc/systemd/logind.conf.d/
50-override.conf
622 ... some administrator override
628 <title><command>systemd-analyze compare-versions
629 <replaceable>VERSION1
</replaceable>
630 <optional><replaceable>OP
</replaceable></optional>
631 <replaceable>VERSION2
</replaceable></command></title>
633 <para>This command has two distinct modes of operation, depending on whether the operator
634 <replaceable>OP
</replaceable> is specified.
</para>
636 <para>In the first mode — when
<replaceable>OP
</replaceable> is not specified — it will compare the two
637 version strings and print either
<literal><replaceable>VERSION1
</replaceable> <
638 <replaceable>VERSION2
</replaceable></literal>, or
<literal><replaceable>VERSION1
</replaceable> ==
639 <replaceable>VERSION2
</replaceable></literal>, or
<literal><replaceable>VERSION1
</replaceable> >
640 <replaceable>VERSION2
</replaceable></literal> as appropriate.
</para>
642 <para>The exit status is
<constant>0</constant> if the versions are equal,
<constant>11</constant> if
643 the version of the right is smaller, and
<constant>12</constant> if the version of the left is
644 smaller. (This matches the convention used by
<command>rpmdev-vercmp
</command>.)
</para>
646 <para>In the second mode — when
<replaceable>OP
</replaceable> is specified — it will compare the two
647 version strings using the operation
<replaceable>OP
</replaceable> and return
<constant>0</constant>
648 (success) if they condition is satisfied, and
<constant>1</constant> (failure)
649 otherwise.
<constant>OP
</constant> may be
<command>lt
</command>,
<command>le
</command>,
650 <command>eq
</command>,
<command>ne
</command>,
<command>ge
</command>,
<command>gt
</command>. In this
651 mode, no output is printed.
652 (This matches the convention used by
653 <citerefentry project='die-net'
><refentrytitle>dpkg
</refentrytitle><manvolnum>1</manvolnum></citerefentry>
654 <option>--compare-versions
</option>.)
</para>
657 <title>Compare versions of a package
</title>
660 $ systemd-analyze compare-versions systemd-
250~rc1.fc36.aarch64 systemd-
251.fc36.aarch64
661 systemd-
250~rc1.fc36.aarch64
< systemd-
251.fc36.aarch64
665 $ systemd-analyze compare-versions
1 lt
2; echo $?
667 $ systemd-analyze compare-versions
1 ge
2; echo $?
674 <title><command>systemd-analyze verify
<replaceable>FILE
</replaceable>...
</command></title>
676 <para>This command will load unit files and print warnings if any errors are detected. Files specified
677 on the command line will be loaded, but also any other units referenced by them. A unit's name on disk
678 can be overridden by specifying an alias after a colon; see below for an example. The full unit search
679 path is formed by combining the directories for all command line arguments, and the usual unit load
680 paths. The variable
<varname>$SYSTEMD_UNIT_PATH
</varname> is supported, and may be used to replace or
681 augment the compiled in set of unit load paths; see
682 <citerefentry><refentrytitle>systemd.unit
</refentrytitle><manvolnum>5</manvolnum></citerefentry>. All
683 units files present in the directories containing the command line arguments will be used in preference
684 to the other paths.
</para>
686 <para>The following errors are currently detected:
</para>
688 <listitem><para>unknown sections and directives,
</para></listitem>
690 <listitem><para>missing dependencies which are required to start the given unit,
</para></listitem>
692 <listitem><para>man pages listed in
<varname>Documentation=
</varname> which are not found in the
693 system,
</para></listitem>
695 <listitem><para>commands listed in
<varname>ExecStart=
</varname> and similar which are not found in
696 the system or not executable.
</para></listitem>
700 <title>Misspelt directives
</title>
702 <programlisting>$ cat ./user.slice
705 Documentation=man:nosuchfile(
1)
706 Requires=different.service
711 $ systemd-analyze verify ./user.slice
712 [./user.slice:
9] Unknown lvalue 'WhatIsThis' in section 'Unit'
713 [./user.slice:
13] Unknown section 'Service'. Ignoring.
714 Error: org.freedesktop.systemd1.LoadFailed:
715 Unit different.service failed to load:
716 No such file or directory.
717 Failed to create user.slice/start: Invalid argument
718 user.slice: man nosuchfile(
1) command failed with code
16
723 <title>Missing service units
</title>
725 <programlisting>$ tail ./a.socket ./b.socket
726 ==
> ./a.socket
<==
730 ==
> ./b.socket
<==
735 $ systemd-analyze verify ./a.socket ./b.socket
736 Service a.service not loaded, a.socket cannot be started.
737 Service b@
0.service not loaded, b.socket cannot be started.
742 <title>Aliasing a unit
</title>
744 <programlisting>$ cat /tmp/source
746 Description=Hostname printer
750 ExecStart=/usr/bin/echo %H
753 $ systemd-analyze verify /tmp/source
754 Failed to prepare filename /tmp/source: Invalid argument
756 $ systemd-analyze verify /tmp/source:alias.service
757 alias.service:
7: Unknown key name 'MysteryKey' in section 'Service', ignoring.
764 <title><command>systemd-analyze security
<optional><replaceable>UNIT
</replaceable>...
</optional></command></title>
766 <para>This command analyzes the security and sandboxing settings of one or more specified service
767 units. If at least one unit name is specified the security settings of the specified service units are
768 inspected and a detailed analysis is shown. If no unit name is specified, all currently loaded,
769 long-running service units are inspected and a terse table with results shown. The command checks for
770 various security-related service settings, assigning each a numeric
"exposure level" value, depending
771 on how important a setting is. It then calculates an overall exposure level for the whole unit, which
772 is an estimation in the range
0.0…
10.0 indicating how exposed a service is security-wise. High exposure
773 levels indicate very little applied sandboxing. Low exposure levels indicate tight sandboxing and
774 strongest security restrictions. Note that this only analyzes the per-service security features systemd
775 itself implements. This means that any additional security mechanisms applied by the service code
776 itself are not accounted for. The exposure level determined this way should not be misunderstood: a
777 high exposure level neither means that there is no effective sandboxing applied by the service code
778 itself, nor that the service is actually vulnerable to remote or local attacks. High exposure levels do
779 indicate however that most likely the service might benefit from additional settings applied to
782 <para>Please note that many of the security and sandboxing settings individually can be circumvented —
783 unless combined with others. For example, if a service retains the privilege to establish or undo mount
784 points many of the sandboxing options can be undone by the service code itself. Due to that is
785 essential that each service uses the most comprehensive and strict sandboxing and security settings
786 possible. The tool will take into account some of these combinations and relationships between the
787 settings, but not all. Also note that the security and sandboxing settings analyzed here only apply to
788 the operations executed by the service code itself. If a service has access to an IPC system (such as
789 D-Bus) it might request operations from other services that are not subject to the same
790 restrictions. Any comprehensive security and sandboxing analysis is hence incomplete if the IPC access
791 policy is not validated too.
</para>
794 <title>Analyze
<filename index=
"false">systemd-logind.service
</filename></title>
796 <programlisting>$ systemd-analyze security --no-pager systemd-logind.service
797 NAME DESCRIPTION EXPOSURE
798 ✗ PrivateNetwork= Service has access to the host's network
0.5
799 ✗ User=/DynamicUser= Service runs as root user
0.4
800 ✗ DeviceAllow= Service has no device ACL
0.2
801 ✓ IPAddressDeny= Service blocks all IP address ranges
803 → Overall exposure level for systemd-logind.service:
4.1 OK 🙂
809 <title><command>systemd-analyze inspect-elf
<replaceable>FILE
</replaceable>...
</command></title>
811 <para>This command will load the specified files, and if they are ELF objects (executables,
812 libraries, core files, etc.) it will parse the embedded packaging metadata, if any, and print
813 it in a table or json format. See the
<ulink url=
"https://systemd.io/COREDUMP_PACKAGE_METADATA/">
814 Packaging Metadata
</ulink> documentation for more information.
</para>
817 <title>Print information about a core file as JSON
</title>
819 <programlisting>$ systemd-analyze inspect-elf --json=pretty \
820 core.fsverity
.1000.f77dac5dc161402aa44e15b7dd9dcf97.58561
.1637106137000000
822 "elfType" :
"coredump",
823 "elfArchitecture" :
"AMD x86-64",
824 "/home/bluca/git/fsverity-utils/fsverity" : {
826 "name" :
"fsverity-utils",
828 "buildId" :
"7c895ecd2a271f93e96268f479fdc3c64a2ec4ee"
830 "/home/bluca/git/fsverity-utils/libfsverity.so.0" : {
832 "name" :
"fsverity-utils",
834 "buildId" :
"b5e428254abf14237b0ae70ed85fffbb98a78f88"
842 <title><command>systemd-analyze fdstore
<optional><replaceable>UNIT
</replaceable>...
</optional></command></title>
844 <para>Lists the current contents of the specified service unit's file descriptor store. This shows
845 names, inode types, device numbers, inode numbers, paths and open modes of the open file
846 descriptors. The specified units must have
<varname>FileDescriptorStoreMax=
</varname> enabled, see
847 <citerefentry><refentrytitle>systemd.service
</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
851 <title>Table output
</title>
852 <programlisting>$ systemd-analyze fdstore systemd-journald.service
853 FDNAME TYPE DEVNO INODE RDEVNO PATH FLAGS
854 stored sock
0:
8 4218620 - socket:[
4218620] ro
855 stored sock
0:
8 4213198 - socket:[
4213198] ro
856 stored sock
0:
8 4213190 - socket:[
4213190] ro
860 <para>Note: the
"DEVNO" column refers to the major/minor numbers of the device node backing the file
861 system the file descriptor's inode is on. The
"RDEVNO" column refers to the major/minor numbers of the
862 device node itself if the file descriptor refers to one. Compare with corresponding
863 <varname>.st_dev
</varname> and
<varname>.st_rdev
</varname> fields in
<type>struct stat
</type> (see
865 project='man-pages'
><refentrytitle>stat
</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
866 details). The listed inode numbers in the
"INODE" column are on the file system indicated by
871 <title><command>systemd-analyze image-policy
<optional><replaceable>POLICY
</replaceable>…
</optional></command></title>
873 <para>This command analyzes the specified image policy string, as per
874 <citerefentry><refentrytitle>systemd.image-policy
</refentrytitle><manvolnum>7</manvolnum></citerefentry>. The
875 policy is normalized and simplified. For each currently defined partition identifier (as per the
<ulink
876 url=
"https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable
877 Partitions Specification
</ulink>) the effect of the image policy string is shown in tabular form.
</para>
880 <title>Example Output
</title>
882 <programlisting>$ systemd-analyze image-policy swap=encrypted:usr=read-only-on+verity:root=encrypted
883 Analyzing policy: root=encrypted:usr=verity+read-only-on:swap=encrypted
884 Long form: root=encrypted:usr=verity+read-only-on:swap=encrypted:=unused+absent
886 PARTITION MODE READ-ONLY GROWFS
894 root-verity ignore - -
895 usr-verity unprotected yes -
896 root-verity-sig ignore - -
897 usr-verity-sig ignore - -
900 default ignore - -
</programlisting>
905 <title><command>systemd-analyze pcrs
<optional><replaceable>PCR
</replaceable>…
</optional></command></title>
907 <para>This command shows the known TPM2 PCRs along with their identifying names and current values.
</para>
910 <title>Example Output
</title>
912 <programlisting>$ systemd-analyze pcrs
914 0 platform-code bcd2eb527108bbb1f5528409bcbe310aa9b74f687854cc5857605993f3d9eb11
915 1 platform-config b60622856eb7ce52637b80f30a520e6e87c347daa679f3335f4f1a600681bb01
916 2 external-code
1471262403e9a62f9c392941300b4807fbdb6f0bfdd50abfab752732087017dd
917 3 external-config
3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
918 4 boot-loader-code
939f7fa1458e1f7ce968874d908e524fc0debf890383d355e4ce347b7b78a95c
919 5 boot-loader-config
864c61c5ea5ecbdb6951e6cb6d9c1f4b4eac79772f7fe13b8bece569d83d3768
920 6 -
3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
921 7 secure-boot-policy
9c905bd9b9891bfb889b90a54c4b537b889cfa817c4389cc25754823a9443255
922 8 -
0000000000000000000000000000000000000000000000000000000000000000
923 9 kernel-initrd
9caa29b128113ef42aa53d421f03437be57211e5ebafc0fa8b5d4514ee37ff0c
924 10 ima
5ea9e3dab53eb6b483b6ec9e3b2c712bea66bca1b155637841216e0094387400
925 11 kernel-boot
0000000000000000000000000000000000000000000000000000000000000000
926 12 kernel-config
627ffa4b405e911902fe1f1a8b0164693b31acab04f805f15bccfe2209c7eace
927 13 sysexts
0000000000000000000000000000000000000000000000000000000000000000
928 14 shim-policy
0000000000000000000000000000000000000000000000000000000000000000
929 15 system-identity
0000000000000000000000000000000000000000000000000000000000000000
930 16 debug
0000000000000000000000000000000000000000000000000000000000000000
931 17 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
932 18 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
933 19 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
934 20 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
935 21 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
936 22 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
937 23 application-support
0000000000000000000000000000000000000000000000000000000000000000</programlisting>
942 <title><command>systemd-analyze srk
> <replaceable>FILE
</replaceable></command></title>
944 <para>This command reads the Storage Root Key (SRK) from the TPM2 device, and writes it in marshalled
945 TPM2B_PUBLIC format to stdout. Example:
</para>
947 <programlisting>systemd-analyze srk
> srk.tpm2b_public
</programlisting>
951 <title><command>systemd-analyze architectures
<optional><replaceable>NAME
</replaceable>...
</optional></command></title>
953 <para>Lists all known CPU architectures, and which ones are native. The listed architecture names are
954 those
<varname>ConditionArchitecture=
</varname> supports, see
955 <citerefentry><refentrytitle>systemd.unit
</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
956 details. If architecture names are specified only those specified are listed.
</para>
959 <title>Table output
</title>
960 <programlisting>$ systemd-analyze architectures
972 x86-
64 native
</programlisting>
979 <title>Options
</title>
981 <para>The following options are understood:
</para>
985 <term><option>--system
</option></term>
987 <listitem><para>Operates on the system systemd instance. This
988 is the implied default.
</para>
990 <xi:include href=
"version-info.xml" xpointer=
"v209"/></listitem>
994 <term><option>--user
</option></term>
996 <listitem><para>Operates on the user systemd
999 <xi:include href=
"version-info.xml" xpointer=
"v186"/></listitem>
1003 <term><option>--global
</option></term>
1005 <listitem><para>Operates on the system-wide configuration for
1006 user systemd instance.
</para>
1008 <xi:include href=
"version-info.xml" xpointer=
"v238"/></listitem>
1012 <term><option>--order
</option></term>
1013 <term><option>--require
</option></term>
1015 <listitem><para>When used in conjunction with the
1016 <command>dot
</command> command (see above), selects which
1017 dependencies are shown in the dependency graph. If
1018 <option>--order
</option> is passed, only dependencies of type
1019 <varname>After=
</varname> or
<varname>Before=
</varname> are
1020 shown. If
<option>--require
</option> is passed, only
1021 dependencies of type
<varname>Requires=
</varname>,
1022 <varname>Requisite=
</varname>,
1023 <varname>Wants=
</varname> and
<varname>Conflicts=
</varname>
1024 are shown. If neither is passed, this shows dependencies of
1025 all these types.
</para>
1027 <xi:include href=
"version-info.xml" xpointer=
"v198"/></listitem>
1031 <term><option>--from-pattern=
</option></term>
1032 <term><option>--to-pattern=
</option></term>
1034 <listitem><para>When used in conjunction with the
1035 <command>dot
</command> command (see above), this selects which
1036 relationships are shown in the dependency graph. Both options
1038 <citerefentry project='man-pages'
><refentrytitle>glob
</refentrytitle><manvolnum>7</manvolnum></citerefentry>
1039 pattern as an argument, which will be matched against the
1040 left-hand and the right-hand, respectively, nodes of a
1041 relationship.
</para>
1043 <para>Each of these can be used more than once, in which case
1044 the unit name must match one of the values. When tests for
1045 both sides of the relation are present, a relation must pass
1046 both tests to be shown. When patterns are also specified as
1047 positional arguments, they must match at least one side of the
1048 relation. In other words, patterns specified with those two
1049 options will trim the list of edges matched by the positional
1050 arguments, if any are given, and fully determine the list of
1051 edges shown otherwise.
</para>
1053 <xi:include href=
"version-info.xml" xpointer=
"v201"/></listitem>
1057 <term><option>--fuzz=
</option><replaceable>timespan
</replaceable></term>
1059 <listitem><para>When used in conjunction with the
1060 <command>critical-chain
</command> command (see above), also
1061 show units, which finished
<replaceable>timespan
</replaceable>
1062 earlier, than the latest unit in the same level. The unit of
1063 <replaceable>timespan
</replaceable> is seconds unless
1064 specified with a different unit, e.g.
1067 <xi:include href=
"version-info.xml" xpointer=
"v203"/></listitem>
1071 <term><option>--man=no
</option></term>
1073 <listitem><para>Do not invoke
1074 <citerefentry project='man-pages'
><refentrytitle>man
</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1075 to verify the existence of man pages listed in
<varname>Documentation=
</varname>.
</para>
1077 <xi:include href=
"version-info.xml" xpointer=
"v235"/></listitem>
1081 <term><option>--generators
</option></term>
1083 <listitem><para>Invoke unit generators, see
1084 <citerefentry><refentrytitle>systemd.generator
</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
1085 Some generators require root privileges. Under a normal user, running with
1086 generators enabled will generally result in some warnings.
</para>
1088 <xi:include href=
"version-info.xml" xpointer=
"v235"/></listitem>
1092 <term><option>--recursive-errors=
<replaceable>MODE
</replaceable></option></term>
1094 <listitem><para>Control verification of units and their dependencies and whether
1095 <command>systemd-analyze verify
</command> exits with a non-zero process exit status or not. With
1096 <command>yes
</command>, return a non-zero process exit status when warnings arise during verification
1097 of either the specified unit or any of its associated dependencies. With
<command>no
</command>,
1098 return a non-zero process exit status when warnings arise during verification of only the specified
1099 unit. With
<command>one
</command>, return a non-zero process exit status when warnings arise during
1100 verification of either the specified unit or its immediate dependencies. If this option is not
1101 specified, zero is returned as the exit status regardless whether warnings arise during verification
1104 <xi:include href=
"version-info.xml" xpointer=
"v250"/></listitem>
1108 <term><option>--root=
<replaceable>PATH
</replaceable></option></term>
1110 <listitem><para>With
<command>cat-files
</command> and
<command>verify
</command>,
1111 operate on files underneath the specified root path
<replaceable>PATH
</replaceable>.
</para>
1113 <xi:include href=
"version-info.xml" xpointer=
"v239"/></listitem>
1117 <term><option>--image=
<replaceable>PATH
</replaceable></option></term>
1119 <listitem><para>With
<command>cat-files
</command> and
<command>verify
</command>,
1120 operate on files inside the specified image path
<replaceable>PATH
</replaceable>.
</para>
1122 <xi:include href=
"version-info.xml" xpointer=
"v250"/></listitem>
1125 <xi:include href=
"standard-options.xml" xpointer=
"image-policy-open" />
1128 <term><option>--offline=
<replaceable>BOOL
</replaceable></option></term>
1130 <listitem><para>With
<command>security
</command>, perform an offline security review
1131 of the specified unit files, i.e. does not have to rely on PID
1 to acquire security
1132 information for the files like the
<command>security
</command> verb when used by itself does.
1133 This means that
<option>--offline=
</option> can be used with
<option>--root=
</option> and
1134 <option>--image=
</option> as well. If a unit's overall exposure level is above that set by
1135 <option>--threshold=
</option> (default value is
100),
<option>--offline=
</option> will return
1138 <xi:include href=
"version-info.xml" xpointer=
"v250"/></listitem>
1142 <term><option>--profile=
<replaceable>PATH
</replaceable></option></term>
1144 <listitem><para>With
<command>security
</command> <option>--offline=
</option>, takes into
1145 consideration the specified portable profile when assessing unit settings.
1146 The profile can be passed by name, in which case the well-known system locations will
1147 be searched, or it can be the full path to a specific drop-in file.
</para>
1149 <xi:include href=
"version-info.xml" xpointer=
"v250"/></listitem>
1153 <term><option>--threshold=
<replaceable>NUMBER
</replaceable></option></term>
1155 <listitem><para>With
<command>security
</command>, allow the user to set a custom value
1156 to compare the overall exposure level with, for the specified unit files. If a unit's
1157 overall exposure level, is greater than that set by the user,
<command>security
</command>
1158 will return an error.
<option>--threshold=
</option> can be used with
<option>--offline=
</option>
1159 as well and its default value is
100.
</para>
1161 <xi:include href=
"version-info.xml" xpointer=
"v250"/></listitem>
1165 <term><option>--security-policy=
<replaceable>PATH
</replaceable></option></term>
1167 <listitem><para>With
<command>security
</command>, allow the user to define a custom set of
1168 requirements formatted as a JSON file against which to compare the specified unit file(s)
1169 and determine their overall exposure level to security threats.
</para>
1172 <title>Accepted Assessment Test Identifiers
</title>
1175 <colspec colname='directive'
/>
1178 <entry>Assessment Test Identifier
</entry>
1183 <entry>UserOrDynamicUser
</entry>
1186 <entry>SupplementaryGroups
</entry>
1189 <entry>PrivateMounts
</entry>
1192 <entry>PrivateDevices
</entry>
1195 <entry>PrivateTmp
</entry>
1198 <entry>PrivateNetwork
</entry>
1201 <entry>PrivateUsers
</entry>
1204 <entry>ProtectControlGroups
</entry>
1207 <entry>ProtectKernelModules
</entry>
1210 <entry>ProtectKernelTunables
</entry>
1213 <entry>ProtectKernelLogs
</entry>
1216 <entry>ProtectClock
</entry>
1219 <entry>ProtectHome
</entry>
1222 <entry>ProtectHostname
</entry>
1225 <entry>ProtectSystem
</entry>
1228 <entry>RootDirectoryOrRootImage
</entry>
1231 <entry>LockPersonality
</entry>
1234 <entry>MemoryDenyWriteExecute
</entry>
1237 <entry>NoNewPrivileges
</entry>
1240 <entry>CapabilityBoundingSet_CAP_SYS_ADMIN
</entry>
1243 <entry>CapabilityBoundingSet_CAP_SET_UID_GID_PCAP
</entry>
1246 <entry>CapabilityBoundingSet_CAP_SYS_PTRACE
</entry>
1249 <entry>CapabilityBoundingSet_CAP_SYS_TIME
</entry>
1252 <entry>CapabilityBoundingSet_CAP_NET_ADMIN
</entry>
1255 <entry>CapabilityBoundingSet_CAP_SYS_RAWIO
</entry>
1258 <entry>CapabilityBoundingSet_CAP_SYS_MODULE
</entry>
1261 <entry>CapabilityBoundingSet_CAP_AUDIT
</entry>
1264 <entry>CapabilityBoundingSet_CAP_SYSLOG
</entry>
1267 <entry>CapabilityBoundingSet_CAP_SYS_NICE_RESOURCE
</entry>
1270 <entry>CapabilityBoundingSet_CAP_MKNOD
</entry>
1273 <entry>CapabilityBoundingSet_CAP_CHOWN_FSETID_SETFCAP
</entry>
1276 <entry>CapabilityBoundingSet_CAP_DAC_FOWNER_IPC_OWNER
</entry>
1279 <entry>CapabilityBoundingSet_CAP_KILL
</entry>
1282 <entry>CapabilityBoundingSet_CAP_NET_BIND_SERVICE_BROADCAST_RAW
</entry>
1285 <entry>CapabilityBoundingSet_CAP_SYS_BOOT
</entry>
1288 <entry>CapabilityBoundingSet_CAP_MAC
</entry>
1291 <entry>CapabilityBoundingSet_CAP_LINUX_IMMUTABLE
</entry>
1294 <entry>CapabilityBoundingSet_CAP_IPC_LOCK
</entry>
1297 <entry>CapabilityBoundingSet_CAP_SYS_CHROOT
</entry>
1300 <entry>CapabilityBoundingSet_CAP_BLOCK_SUSPEND
</entry>
1303 <entry>CapabilityBoundingSet_CAP_WAKE_ALARM
</entry>
1306 <entry>CapabilityBoundingSet_CAP_LEASE
</entry>
1309 <entry>CapabilityBoundingSet_CAP_SYS_TTY_CONFIG
</entry>
1312 <entry>CapabilityBoundingSet_CAP_BPF
</entry>
1315 <entry>UMask
</entry>
1318 <entry>KeyringMode
</entry>
1321 <entry>ProtectProc
</entry>
1324 <entry>ProcSubset
</entry>
1327 <entry>NotifyAccess
</entry>
1330 <entry>RemoveIPC
</entry>
1333 <entry>Delegate
</entry>
1336 <entry>RestrictRealtime
</entry>
1339 <entry>RestrictSUIDSGID
</entry>
1342 <entry>RestrictNamespaces_user
</entry>
1345 <entry>RestrictNamespaces_mnt
</entry>
1348 <entry>RestrictNamespaces_ipc
</entry>
1351 <entry>RestrictNamespaces_pid
</entry>
1354 <entry>RestrictNamespaces_cgroup
</entry>
1357 <entry>RestrictNamespaces_uts
</entry>
1360 <entry>RestrictNamespaces_net
</entry>
1363 <entry>RestrictAddressFamilies_AF_INET_INET6
</entry>
1366 <entry>RestrictAddressFamilies_AF_UNIX
</entry>
1369 <entry>RestrictAddressFamilies_AF_NETLINK
</entry>
1372 <entry>RestrictAddressFamilies_AF_PACKET
</entry>
1375 <entry>RestrictAddressFamilies_OTHER
</entry>
1378 <entry>SystemCallArchitectures
</entry>
1381 <entry>SystemCallFilter_swap
</entry>
1384 <entry>SystemCallFilter_obsolete
</entry>
1387 <entry>SystemCallFilter_clock
</entry>
1390 <entry>SystemCallFilter_cpu_emulation
</entry>
1393 <entry>SystemCallFilter_debug
</entry>
1396 <entry>SystemCallFilter_mount
</entry>
1399 <entry>SystemCallFilter_module
</entry>
1402 <entry>SystemCallFilter_raw_io
</entry>
1405 <entry>SystemCallFilter_reboot
</entry>
1408 <entry>SystemCallFilter_privileged
</entry>
1411 <entry>SystemCallFilter_resources
</entry>
1414 <entry>IPAddressDeny
</entry>
1417 <entry>DeviceAllow
</entry>
1420 <entry>AmbientCapabilities
</entry>
1426 <para>See example
"JSON Policy" below.
</para>
1428 <xi:include href=
"version-info.xml" xpointer=
"v250"/></listitem>
1432 <term><option>--json=
<replaceable>MODE
</replaceable></option></term>
1434 <listitem><para>With the
<command>security
</command> command, generate a JSON formatted
1435 output of the security analysis table. The format is a JSON array with objects
1436 containing the following fields:
<varname>set
</varname> which indicates if the setting has
1437 been enabled or not,
<varname>name
</varname> which is what is used to refer to the setting,
1438 <varname>json_field
</varname> which is the JSON compatible identifier of the setting,
1439 <varname>description
</varname> which is an outline of the setting state, and
1440 <varname>exposure
</varname> which is a number in the range
0.0…
10.0, where a higher value
1441 corresponds to a higher security threat. The JSON version of the table is printed to standard
1442 output. The
<replaceable>MODE
</replaceable> passed to the option can be one of three:
1443 <option>off
</option> which is the default,
<option>pretty
</option> and
<option>short
</option>
1444 which respectively output a prettified or shorted JSON version of the security table.
1446 With the
<command>plot
</command> command, generate a JSON formatted output of the raw time data.
1447 The format is a JSON array with objects containing the following fields:
<varname>name
</varname>
1448 which is the unit name,
<varname>activated
</varname> which is the time after startup the
1449 service was activated,
<varname>activating
</varname> which is how long after startup the service
1450 was initially started,
<varname>time
</varname> which is how long the service took to activate
1451 from when it was initially started,
<varname>deactivated
</varname> which is the time after startup
1452 that the service was deactivated,
<varname>deactivating
</varname> which is the time after startup
1453 that the service was initially told to deactivate.
1456 <xi:include href=
"version-info.xml" xpointer=
"v250"/></listitem>
1460 <term><option>--iterations=
<replaceable>NUMBER
</replaceable></option></term>
1462 <listitem><para>When used with the
<command>calendar
</command> command, show the specified number of
1463 iterations the specified calendar expression will elapse next. Defaults to
1.
</para>
1465 <xi:include href=
"version-info.xml" xpointer=
"v242"/></listitem>
1469 <term><option>--base-time=
<replaceable>TIMESTAMP
</replaceable></option></term>
1471 <listitem><para>When used with the
<command>calendar
</command> command, show next iterations relative
1472 to the specified point in time. If not specified defaults to the current time.
</para>
1474 <xi:include href=
"version-info.xml" xpointer=
"v244"/></listitem>
1478 <term><option>--unit=
<replaceable>UNIT
</replaceable></option></term>
1480 <listitem><para>When used with the
<command>condition
</command> command, evaluate all the
1481 <varname index=
"false">Condition*=...
</varname> and
<varname index=
"false">Assert*=...
</varname>
1482 assignments in the specified unit file. The full unit search path is formed by combining the
1483 directories for the specified unit with the usual unit load paths. The variable
1484 <varname>$SYSTEMD_UNIT_PATH
</varname> is supported, and may be used to replace or augment the
1485 compiled in set of unit load paths; see
1486 <citerefentry><refentrytitle>systemd.unit
</refentrytitle><manvolnum>5</manvolnum></citerefentry>. All
1487 units files present in the directory containing the specified unit will be used in preference to the
1490 <xi:include href=
"version-info.xml" xpointer=
"v250"/></listitem>
1494 <term><option>--table
</option></term>
1496 <listitem><para>When used with the
<command>plot
</command> command, the raw time data is output in a table.
1499 <xi:include href=
"version-info.xml" xpointer=
"v253"/></listitem>
1503 <term><option>--no-legend
</option></term>
1505 <listitem><para>When used with the
<command>plot
</command> command in combination with either
1506 <option>--table
</option> or
<option>--json=
</option>, no legends or hints are included in the output.
1509 <xi:include href=
"version-info.xml" xpointer=
"v253"/></listitem>
1512 <xi:include href=
"user-system-options.xml" xpointer=
"host" />
1513 <xi:include href=
"user-system-options.xml" xpointer=
"machine" />
1516 <term><option>--quiet
</option></term>
1518 <listitem><para>Suppress hints and other non-essential output.
</para>
1520 <xi:include href=
"version-info.xml" xpointer=
"v250"/></listitem>
1524 <term><option>--tldr
</option></term>
1526 <listitem><para>With
<command>cat-config
</command>, only print the
"interesting" parts of the
1527 configuration files, skipping comments and empty lines and section headers followed only by
1528 comments and empty lines.
</para>
1530 <xi:include href=
"version-info.xml" xpointer=
"v255"/></listitem>
1533 <xi:include href=
"standard-options.xml" xpointer=
"help" />
1534 <xi:include href=
"standard-options.xml" xpointer=
"version" />
1535 <xi:include href=
"standard-options.xml" xpointer=
"no-pager" />
1541 <title>Exit status
</title>
1543 <para>For most commands,
0 is returned on success, and a non-zero failure code otherwise.
</para>
1545 <para>With the verb
<command>compare-versions
</command>, in the two-argument form,
1546 <constant>12</constant>,
<constant>0</constant>,
<constant>11</constant> is returned if the second
1547 version string is respectively larger, equal, or smaller to the first. In the three-argument form,
1548 <constant>0</constant> or
<constant>1</constant> if the condition is respectively true or false.
</para>
1551 <xi:include href=
"common-variables.xml" />
1554 <title>Examples
</title>
1557 <title>JSON Policy
</title>
1559 <para>The JSON file passed as a path parameter to
<option>--security-policy=
</option> has a top-level
1560 JSON object, with keys being the assessment test identifiers mentioned above. The values in the file
1561 should be JSON objects with one or more of the following fields:
<option>description_na
</option>
1562 (string),
<option>description_good
</option> (string),
<option>description_bad
</option> (string),
1563 <option>weight
</option> (unsigned integer), and
<option>range
</option> (unsigned integer). If any of
1564 these fields corresponding to a specific id of the unit file is missing from the JSON object, the
1565 default built-in field value corresponding to that same id is used for security analysis as default.
1566 The weight and range fields are used in determining the overall exposure level of the unit files: the
1567 value of each setting is assigned a badness score, which is multiplied by the policy weight and divided
1568 by the policy range to determine the overall exposure that the setting implies. The computed badness is
1569 summed across all settings in the unit file, normalized to the
1…
100 range, and used to determine the
1570 overall exposure level of the unit. By allowing users to manipulate these fields, the 'security' verb
1571 gives them the option to decide for themself which ids are more important and hence should have a
1572 greater effect on the exposure level. A weight of
<literal>0</literal> means the setting will not be
1579 "description_good":
"Service has no access to hardware devices",
1580 "description_bad":
"Service potentially has access to hardware devices",
1586 "description_good":
"Service cannot install system mounts",
1587 "description_bad":
"Service may install system mounts",
1593 "description_good":
"Service has no access to the host's network",
1594 "description_bad":
"Service has access to the host's network",
1600 "description_good":
"Service has no access to other software's temporary files",
1601 "description_bad":
"Service has access to other software's temporary files",
1607 "description_good":
"Service does not have access to other users",
1608 "description_bad":
"Service has access to other users",
1618 <title>See Also
</title>
1619 <para><simplelist type=
"inline">
1620 <member><citerefentry><refentrytitle>systemd
</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1621 <member><citerefentry><refentrytitle>systemctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
1622 </simplelist></para>