<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-<!-- SPDX-License-Identifier: LGPL-2.1+ -->
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
-<refentry id="systemd-analyze"
+<refentry id="systemd-analyze" conditional='ENABLE_ANALYZE'
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<arg choice="plain">exit-status</arg>
<arg choice="opt" rep="repeat"><replaceable>STATUS</replaceable></arg>
</cmdsynopsis>
+ <cmdsynopsis>
+ <command>systemd-analyze</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="plain">capability</arg>
+ <arg choice="opt" rep="repeat"><replaceable>CAPABILITY</replaceable></arg>
+ </cmdsynopsis>
<cmdsynopsis>
<command>systemd-analyze</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
jobs (and in particular not jobs that timed out).</para>
<example>
- <title><command>systemd-analyze time</command></title>
+ <title><command>systemd-analyze critical-chain</command></title>
<programlisting>$ systemd-analyze critical-chain
multi-user.target @47.820s
definition (one of <literal>glibc</literal>, <literal>systemd</literal>, <literal>LSB</literal>, or
<literal>BSD</literal>), see the Process Exit Codes section in
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- If no additional arguments are specified, all known statuses are are shown. Otherwise, only the
+ If no additional arguments are specified, all known statuses are shown. Otherwise, only the
definitions for the specified codes are shown.</para>
<example>
</example>
</refsect2>
+ <refsect2>
+ <title><command>systemd-analyze capability <optional><replaceable>CAPABILITY</replaceable>...</optional></command></title>
+
+ <para>This command prints a list of Linux capabilities along with their numeric IDs. See <citerefentry
+ project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details. If no argument is specified the full list of capabilities known to the service manager and
+ the kernel is shown. Capabilities defined by the kernel but not known to the service manager are shown
+ as <literal>cap_???</literal>. Optionally, if arguments are specified they may refer to specific
+ cabilities by name or numeric ID, in which case only the indicated capabilities are shown in the
+ table.</para>
+
+ <example>
+ <title><command>Show some example capability names</command></title>
+
+ <programlisting>$ systemd-analyze capability 0 1 {30..32}
+NAME NUMBER
+cap_chown 0
+cap_dac_override 1
+cap_audit_control 30
+cap_setfcap 31
+cap_mac_override 32</programlisting>
+ </example>
+ </refsect2>
+
<refsect2>
<title><command>systemd-analyze condition <replaceable>CONDITION</replaceable>...</command></title>
<para>This command will load unit files and print warnings if any errors are detected. Files specified
on the command line will be loaded, but also any other units referenced by them. The full unit search
path is formed by combining the directories for all command line arguments, and the usual unit load
- paths (variable <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or
+ paths. The variable <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or
augment the compiled in set of unit load paths; see
- <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>). All
+ <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. All
units files present in the directories containing the command line arguments will be used in preference
to the other paths.</para>
<command>dot</command> command (see above), this selects which
relationships are shown in the dependency graph. Both options
require a
- <citerefentry project='die-net'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ <citerefentry project='man-pages'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry>
pattern as an argument, which will be matched against the
left-hand and the right-hand, respectively, nodes of a
relationship.</para>
<varlistentry>
<term><option>--man=no</option></term>
- <listitem><para>Do not invoke man to verify the existence of
- man pages listed in <varname>Documentation=</varname>.
- </para></listitem>
+ <listitem><para>Do not invoke
+ <citerefentry project='man-pages'><refentrytitle>man</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ to verify the existence of man pages listed in <varname>Documentation=</varname>.</para></listitem>
</varlistentry>
<varlistentry>
generators enabled will generally result in some warnings.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--recursive-errors=<replaceable>MODE</replaceable></option></term>
+
+ <listitem><para>Control verification of units and their dependencies and whether
+ <command>systemd-analyze verify</command> exits with a non-zero process exit status or not. With
+ <command>yes</command>, return a non-zero process exit status when warnings arise during verification
+ of either the specified unit or any of its associated dependencies. This is the default. With
+ <command>no</command>, return a non-zero process exit status when warnings arise during verification
+ of only the specified unit. With <command>one</command>, return a non-zero process exit status when
+ warnings arise during verification of either the specified unit or its immediate dependencies. </para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--root=<replaceable>PATH</replaceable></option></term>
- <listitem><para>With <command>cat-files</command>, show config files underneath
- the specified root path <replaceable>PATH</replaceable>.</para></listitem>
+ <listitem><para>With <command>cat-files</command> and <command>verify</command>,
+ operate on files underneath the specified root path <replaceable>PATH</replaceable>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--image=<replaceable>PATH</replaceable></option></term>
+
+ <listitem><para>With <command>cat-files</command> and <command>verify</command>,
+ operate on files inside the specified image path <replaceable>PATH</replaceable>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--offline=<replaceable>BOOL</replaceable></option></term>
+
+ <listitem><para>With <command>security</command>, perform an offline security review
+ of the specified unit file(s), i.e. does not have to rely on PID 1 to acquire security
+ information for the files like the <command>security</command> verb when used by itself does.
+ This means that <option>--offline=</option> can be used with <option>--root=</option> and
+ <option>--image=</option> as well. If a unit's overall exposure level is above that set by
+ <option>--threshold=</option> (default value is 100), <option>--offline=</option> will return
+ an error.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--threshold=<replaceable>NUMBER</replaceable></option></term>
+
+ <listitem><para>With <command>security</command>, allow the user to set a custom value
+ to compare the overall exposure level with, for the specified unit file(s). If a unit's
+ overall exposure level, is greater than that set by the user, <command>security</command>
+ will return an error. <option>--threshold=</option> can be used with <option>--offline=</option>
+ as well and its default value is 100.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--security-policy=<replaceable>PATH</replaceable></option></term>
+
+ <listitem><para>With <command>security</command>, allow the user to define a custom set of
+ requirements formatted as a JSON file against which to compare the specified unit file(s)
+ and determine their overall exposure level to security threats.</para>
+
+ <table>
+ <title>Accepted Assessment Test Identifiers</title>
+
+ <tgroup cols='1'>
+ <colspec colname='directive' />
+ <thead>
+ <row>
+ <entry>Assessment Test Identifier</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>UserOrDynamicUser</entry>
+ </row>
+ <row>
+ <entry>SupplementaryGroups</entry>
+ </row>
+ <row>
+ <entry>PrivateMounts</entry>
+ </row>
+ <row>
+ <entry>PrivateDevices</entry>
+ </row>
+ <row>
+ <entry>PrivateTmp</entry>
+ </row>
+ <row>
+ <entry>PrivateNetwork</entry>
+ </row>
+ <row>
+ <entry>PrivateUsers</entry>
+ </row>
+ <row>
+ <entry>ProtectControlGroups</entry>
+ </row>
+ <row>
+ <entry>ProtectKernelModules</entry>
+ </row>
+ <row>
+ <entry>ProtectKernelTunables</entry>
+ </row>
+ <row>
+ <entry>ProtectKernelLogs</entry>
+ </row>
+ <row>
+ <entry>ProtectClock</entry>
+ </row>
+ <row>
+ <entry>ProtectHome</entry>
+ </row>
+ <row>
+ <entry>ProtectHostname</entry>
+ </row>
+ <row>
+ <entry>ProtectSystem</entry>
+ </row>
+ <row>
+ <entry>RootDirectoryOrRootImage</entry>
+ </row>
+ <row>
+ <entry>LockPersonality</entry>
+ </row>
+ <row>
+ <entry>MemoryDenyWriteExecute</entry>
+ </row>
+ <row>
+ <entry>NoNewPrivileges</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_ADMIN</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SET_UID_GID_PCAP</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_PTRACE</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_TIME</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_NET_ADMIN</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_RAWIO</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_MODULE</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_AUDIT</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYSLOG</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_NICE_RESOURCE</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_MKNOD</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_CHOWN_FSETID_SETFCAP</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_DAC_FOWNER_IPC_OWNER</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_KILL</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_NET_BIND_SERVICE_BROADCAST_RAW</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_BOOT</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_MAC</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_LINUX_IMMUTABLE</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_IPC_LOCK</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_CHROOT</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_BLOCK_SUSPEND</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_WAKE_ALARM</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_LEASE</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_TTY_CONFIG</entry>
+ </row>
+ <row>
+ <entry>UMask</entry>
+ </row>
+ <row>
+ <entry>KeyringMode</entry>
+ </row>
+ <row>
+ <entry>ProtectProc</entry>
+ </row>
+ <row>
+ <entry>ProcSubset</entry>
+ </row>
+ <row>
+ <entry>NotifyAccess</entry>
+ </row>
+ <row>
+ <entry>RemoveIPC</entry>
+ </row>
+ <row>
+ <entry>Delegate</entry>
+ </row>
+ <row>
+ <entry>RestrictRealtime</entry>
+ </row>
+ <row>
+ <entry>RestrictSUIDSGID</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWUSER</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWNS</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWIPC</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWPID</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWCGROUP</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWUTS</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWNET</entry>
+ </row>
+ <row>
+ <entry>RestrictAddressFamilies_AF_INET_INET6</entry>
+ </row>
+ <row>
+ <entry>RestrictAddressFamilies_AF_UNIX</entry>
+ </row>
+ <row>
+ <entry>RestrictAddressFamilies_AF_NETLINK</entry>
+ </row>
+ <row>
+ <entry>RestrictAddressFamilies_AF_PACKET</entry>
+ </row>
+ <row>
+ <entry>RestrictAddressFamilies_OTHER</entry>
+ </row>
+ <row>
+ <entry>SystemCallArchitectures</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_swap</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_obsolete</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_clock</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_cpu_emulation</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_debug</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_mount</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_module</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_raw_io</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_reboot</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_privileged</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_resources</entry>
+ </row>
+ <row>
+ <entry>IPAddressDeny</entry>
+ </row>
+ <row>
+ <entry>DeviceAllow</entry>
+ </row>
+ <row>
+ <entry>AmbientCapabilities</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <example>
+ <title>JSON Policy</title>
+ <para>The JSON file passed as a path parameter to <option>--security-policy=</option>
+ has a top-level JSON object, with keys being the assessment test identifiers mentioned
+ above. The values in the file should be JSON objects with one or more of the
+ following fields: description_na (string), description_good (string), description_bad
+ (string), weight (unsigned integer), and range (unsigned integer). If any of these fields
+ corresponding to a specific id of the unit file is missing from the JSON object, the
+ default built-in field value corresponding to that same id is used for security analysis
+ as default. The weight and range fields are used in determining the overall exposure level
+ of the unit files so by allowing users to manipulate these fields, 'security' gives them
+ the option to decide for themself which ids are more important and hence, should have a greater
+ effect on the exposure level. </para>
+
+ <programlisting>
+ {
+ "PrivateDevices":
+ {
+ "description_good": "Service has no access to hardware devices",
+ "description_bad": "Service potentially has access to hardware devices",
+ "weight": 1000,
+ "range": 1
+ },
+ "PrivateMounts":
+ {
+ "description_good": "Service cannot install system mounts",
+ "description_bad": "Service may install system mounts",
+ "weight": 1000,
+ "range": 1
+ },
+ "PrivateNetwork":
+ {
+ "description_good": "Service has no access to the host's network",
+ "description_bad": "Service has access to the host's network",
+ "weight": 2500,
+ "range": 1
+ },
+ "PrivateTmp":
+ {
+ "description_good": "Service has no access to other software's temporary files",
+ "description_bad": "Service has access to other software's temporary files",
+ "weight": 1000,
+ "range": 1
+ },
+ "PrivateUsers":
+ {
+ "description_good": "Service does not have access to other users",
+ "description_bad": "Service has access to other users",
+ "weight": 1000,
+ "range": 1
+ }
+ }
+ </programlisting>
+ </example>
+ </listitem>
</varlistentry>
+
<varlistentry>
<term><option>--iterations=<replaceable>NUMBER</replaceable></option></term>
to the specified point in time. If not specified defaults to the current time.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--unit=<replaceable>UNIT</replaceable></option></term>
+
+ <listitem><para>When used with the <command>condition</command> command, evaluate all the
+ <varname index="false">Condition*=...</varname> and <varname index="false">Assert*=...</varname>
+ assignments in the specified unit file. The full unit search path is formed by combining the
+ directories for the specified unit with the usual unit load paths. The variable
+ <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or augment the
+ compiled in set of unit load paths; see
+ <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. All
+ units files present in the directory containing the specified unit will be used in preference to the
+ other paths.</para></listitem>
+ </varlistentry>
+
<xi:include href="user-system-options.xml" xpointer="host" />
<xi:include href="user-system-options.xml" xpointer="machine" />
otherwise.</para>
</refsect1>
- <xi:include href="less-variables.xml" />
+ <xi:include href="common-variables.xml" />
<refsect1>
<title>See Also</title>
projects / thirdparty / systemd.git / blobdiff