<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-<!-- SPDX-License-Identifier: LGPL-2.1+ -->
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="systemd-analyze" conditional='ENABLE_ANALYZE'
xmlns:xi="http://www.w3.org/2001/XInclude">
definition (one of <literal>glibc</literal>, <literal>systemd</literal>, <literal>LSB</literal>, or
<literal>BSD</literal>), see the Process Exit Codes section in
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- If no additional arguments are specified, all known statuses are are shown. Otherwise, only the
+ If no additional arguments are specified, all known statuses are shown. Otherwise, only the
definitions for the specified codes are shown.</para>
<example>
generators enabled will generally result in some warnings.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--recursive-errors=<replaceable>MODE</replaceable></option></term>
+
+ <listitem><para>Control verification of units and their dependencies and whether
+ <command>systemd-analyze verify</command> exits with a non-zero process exit status or not. With
+ <command>yes</command>, return a non-zero process exit status when warnings arise during verification
+ of either the specified unit or any of its associated dependencies. This is the default. With
+ <command>no</command>, return a non-zero process exit status when warnings arise during verification
+ of only the specified unit. With <command>one</command>, return a non-zero process exit status when
+ warnings arise during verification of either the specified unit or its immediate dependencies. </para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--root=<replaceable>PATH</replaceable></option></term>
- <listitem><para>With <command>cat-files</command>, show config files underneath
- the specified root path <replaceable>PATH</replaceable>.</para></listitem>
+ <listitem><para>With <command>cat-files</command> and <command>verify</command>,
+ operate on files underneath the specified root path <replaceable>PATH</replaceable>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--image=<replaceable>PATH</replaceable></option></term>
+
+ <listitem><para>With <command>cat-files</command> and <command>verify</command>,
+ operate on files inside the specified image path <replaceable>PATH</replaceable>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--offline=<replaceable>BOOL</replaceable></option></term>
+
+ <listitem><para>With <command>security</command>, perform an offline security review
+ of the specified unit file(s), i.e. does not have to rely on PID 1 to acquire security
+ information for the files like the <command>security</command> verb when used by itself does.
+ This means that <option>--offline=</option> can be used with <option>--root=</option> and
+ <option>--image=</option> as well. If a unit's overall exposure level is above that set by
+ <option>--threshold=</option> (default value is 100), <option>--offline=</option> will return
+ an error.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--threshold=<replaceable>NUMBER</replaceable></option></term>
+
+ <listitem><para>With <command>security</command>, allow the user to set a custom value
+ to compare the overall exposure level with, for the specified unit file(s). If a unit's
+ overall exposure level, is greater than that set by the user, <command>security</command>
+ will return an error. <option>--threshold=</option> can be used with <option>--offline=</option>
+ as well and its default value is 100.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--security-policy=<replaceable>PATH</replaceable></option></term>
+
+ <listitem><para>With <command>security</command>, allow the user to define a custom set of
+ requirements formatted as a JSON file against which to compare the specified unit file(s)
+ and determine their overall exposure level to security threats.</para>
+
+ <table>
+ <title>Accepted Assessment Test Identifiers</title>
+
+ <tgroup cols='1'>
+ <colspec colname='directive' />
+ <thead>
+ <row>
+ <entry>Assessment Test Identifier</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>UserOrDynamicUser</entry>
+ </row>
+ <row>
+ <entry>SupplementaryGroups</entry>
+ </row>
+ <row>
+ <entry>PrivateMounts</entry>
+ </row>
+ <row>
+ <entry>PrivateDevices</entry>
+ </row>
+ <row>
+ <entry>PrivateTmp</entry>
+ </row>
+ <row>
+ <entry>PrivateNetwork</entry>
+ </row>
+ <row>
+ <entry>PrivateUsers</entry>
+ </row>
+ <row>
+ <entry>ProtectControlGroups</entry>
+ </row>
+ <row>
+ <entry>ProtectKernelModules</entry>
+ </row>
+ <row>
+ <entry>ProtectKernelTunables</entry>
+ </row>
+ <row>
+ <entry>ProtectKernelLogs</entry>
+ </row>
+ <row>
+ <entry>ProtectClock</entry>
+ </row>
+ <row>
+ <entry>ProtectHome</entry>
+ </row>
+ <row>
+ <entry>ProtectHostname</entry>
+ </row>
+ <row>
+ <entry>ProtectSystem</entry>
+ </row>
+ <row>
+ <entry>RootDirectoryOrRootImage</entry>
+ </row>
+ <row>
+ <entry>LockPersonality</entry>
+ </row>
+ <row>
+ <entry>MemoryDenyWriteExecute</entry>
+ </row>
+ <row>
+ <entry>NoNewPrivileges</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_ADMIN</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SET_UID_GID_PCAP</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_PTRACE</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_TIME</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_NET_ADMIN</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_RAWIO</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_MODULE</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_AUDIT</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYSLOG</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_NICE_RESOURCE</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_MKNOD</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_CHOWN_FSETID_SETFCAP</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_DAC_FOWNER_IPC_OWNER</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_KILL</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_NET_BIND_SERVICE_BROADCAST_RAW</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_BOOT</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_MAC</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_LINUX_IMMUTABLE</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_IPC_LOCK</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_CHROOT</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_BLOCK_SUSPEND</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_WAKE_ALARM</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_LEASE</entry>
+ </row>
+ <row>
+ <entry>CapabilityBoundingSet_CAP_SYS_TTY_CONFIG</entry>
+ </row>
+ <row>
+ <entry>UMask</entry>
+ </row>
+ <row>
+ <entry>KeyringMode</entry>
+ </row>
+ <row>
+ <entry>ProtectProc</entry>
+ </row>
+ <row>
+ <entry>ProcSubset</entry>
+ </row>
+ <row>
+ <entry>NotifyAccess</entry>
+ </row>
+ <row>
+ <entry>RemoveIPC</entry>
+ </row>
+ <row>
+ <entry>Delegate</entry>
+ </row>
+ <row>
+ <entry>RestrictRealtime</entry>
+ </row>
+ <row>
+ <entry>RestrictSUIDSGID</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWUSER</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWNS</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWIPC</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWPID</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWCGROUP</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWUTS</entry>
+ </row>
+ <row>
+ <entry>RestrictNamespaces_CLONE_NEWNET</entry>
+ </row>
+ <row>
+ <entry>RestrictAddressFamilies_AF_INET_INET6</entry>
+ </row>
+ <row>
+ <entry>RestrictAddressFamilies_AF_UNIX</entry>
+ </row>
+ <row>
+ <entry>RestrictAddressFamilies_AF_NETLINK</entry>
+ </row>
+ <row>
+ <entry>RestrictAddressFamilies_AF_PACKET</entry>
+ </row>
+ <row>
+ <entry>RestrictAddressFamilies_OTHER</entry>
+ </row>
+ <row>
+ <entry>SystemCallArchitectures</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_swap</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_obsolete</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_clock</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_cpu_emulation</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_debug</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_mount</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_module</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_raw_io</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_reboot</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_privileged</entry>
+ </row>
+ <row>
+ <entry>SystemCallFilter_resources</entry>
+ </row>
+ <row>
+ <entry>IPAddressDeny</entry>
+ </row>
+ <row>
+ <entry>DeviceAllow</entry>
+ </row>
+ <row>
+ <entry>AmbientCapabilities</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <example>
+ <title>JSON Policy</title>
+ <para>The JSON file passed as a path parameter to <option>--security-policy=</option>
+ has a top-level JSON object, with keys being the assessment test identifiers mentioned
+ above. The values in the file should be JSON objects with one or more of the
+ following fields: description_na (string), description_good (string), description_bad
+ (string), weight (unsigned integer), and range (unsigned integer). If any of these fields
+ corresponding to a specific id of the unit file is missing from the JSON object, the
+ default built-in field value corresponding to that same id is used for security analysis
+ as default. The weight and range fields are used in determining the overall exposure level
+ of the unit files so by allowing users to manipulate these fields, 'security' gives them
+ the option to decide for themself which ids are more important and hence, should have a greater
+ effect on the exposure level. </para>
+
+ <programlisting>
+ {
+ "PrivateDevices":
+ {
+ "description_good": "Service has no access to hardware devices",
+ "description_bad": "Service potentially has access to hardware devices",
+ "weight": 1000,
+ "range": 1
+ },
+ "PrivateMounts":
+ {
+ "description_good": "Service cannot install system mounts",
+ "description_bad": "Service may install system mounts",
+ "weight": 1000,
+ "range": 1
+ },
+ "PrivateNetwork":
+ {
+ "description_good": "Service has no access to the host's network",
+ "description_bad": "Service has access to the host's network",
+ "weight": 2500,
+ "range": 1
+ },
+ "PrivateTmp":
+ {
+ "description_good": "Service has no access to other software's temporary files",
+ "description_bad": "Service has access to other software's temporary files",
+ "weight": 1000,
+ "range": 1
+ },
+ "PrivateUsers":
+ {
+ "description_good": "Service does not have access to other users",
+ "description_bad": "Service has access to other users",
+ "weight": 1000,
+ "range": 1
+ }
+ }
+ </programlisting>
+ </example>
+ </listitem>
+ </varlistentry>
+
+
<varlistentry>
<term><option>--iterations=<replaceable>NUMBER</replaceable></option></term>
to the specified point in time. If not specified defaults to the current time.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--unit=<replaceable>UNIT</replaceable></option></term>
+
+ <listitem><para>When used with the <command>condition</command> command, evaluate all the
+ <varname index="false">Condition*=...</varname> and <varname index="false">Assert*=...</varname>
+ assignments in the specified unit file. The full unit search path is formed by combining the
+ directories for the specified unit with the usual unit load paths. The variable
+ <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or augment the
+ compiled in set of unit load paths; see
+ <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. All
+ units files present in the directory containing the specified unit will be used in preference to the
+ other paths.</para></listitem>
+ </varlistentry>
+
<xi:include href="user-system-options.xml" xpointer="host" />
<xi:include href="user-system-options.xml" xpointer="machine" />
otherwise.</para>
</refsect1>
- <xi:include href="less-variables.xml" />
+ <xi:include href="common-variables.xml" />
<refsect1>
<title>See Also</title>
projects / thirdparty / systemd.git / blobdiff