From: Zbigniew Jędrzejewski-Szmek Date: Tue, 22 Feb 2022 21:55:42 +0000 (+0100) Subject: man/systemd-analyze: split out example to a separate section X-Git-Tag: v251-rc1~232^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e6ce19516315138d983ed4b7776d9ebd2fb296d8;p=thirdparty%2Fsystemd.git man/systemd-analyze: split out example to a separate section It turns out we can't have an Example nested in a list, and every combination of nesting I tried looked bad either in troff or in html. The whole example is moved to a separate section. --- diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 8bc67a1ea89..7baa1794d7c 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -1129,69 +1129,9 @@ $ systemd-analyze verify /tmp/source:alias.service - - JSON Policy - The JSON file passed as a path parameter to - has a top-level JSON object, with keys being the assessment test identifiers mentioned - above. The values in the file should be JSON objects with one or more of the - following fields: description_na (string), description_good (string), description_bad - (string), weight (unsigned integer), and range (unsigned integer). If any of these fields - corresponding to a specific id of the unit file is missing from the JSON object, the - default built-in field value corresponding to that same id is used for security analysis - as default. The weight and range fields are used in determining the overall exposure level - of the unit files: the value of each setting is assigned a badness score, which is multiplied - by the policy weight and divided by the policy range to determine the overall exposure that - the setting implies. The computed badness is summed across all settings in the unit file, - normalized to the 1…100 range, and used to determine the overall exposure level of the unit. - By allowing users to manipulate these fields, the 'security' verb gives them the option to - decide for themself which ids are more important and hence should have a greater effect on - the exposure level. A weight of 0 means the setting will not be - checked. - - - { - "PrivateDevices": - { - "description_good": "Service has no access to hardware devices", - "description_bad": "Service potentially has access to hardware devices", - "weight": 1000, - "range": 1 - }, - "PrivateMounts": - { - "description_good": "Service cannot install system mounts", - "description_bad": "Service may install system mounts", - "weight": 1000, - "range": 1 - }, - "PrivateNetwork": - { - "description_good": "Service has no access to the host's network", - "description_bad": "Service has access to the host's network", - "weight": 2500, - "range": 1 - }, - "PrivateTmp": - { - "description_good": "Service has no access to other software's temporary files", - "description_bad": "Service has access to other software's temporary files", - "weight": 1000, - "range": 1 - }, - "PrivateUsers": - { - "description_good": "Service does not have access to other users", - "description_bad": "Service has access to other users", - "weight": 1000, - "range": 1 - } - } - - - + See example "JSON Policy" below. - @@ -1261,6 +1201,70 @@ $ systemd-analyze verify /tmp/source:alias.service + + Examples + + + JSON Policy + + The JSON file passed as a path parameter to has a top-level + JSON object, with keys being the assessment test identifiers mentioned above. The values in the file + should be JSON objects with one or more of the following fields: + (string), (string), (string), + (unsigned integer), and (unsigned integer). If any of + these fields corresponding to a specific id of the unit file is missing from the JSON object, the + default built-in field value corresponding to that same id is used for security analysis as default. + The weight and range fields are used in determining the overall exposure level of the unit files: the + value of each setting is assigned a badness score, which is multiplied by the policy weight and divided + by the policy range to determine the overall exposure that the setting implies. The computed badness is + summed across all settings in the unit file, normalized to the 1…100 range, and used to determine the + overall exposure level of the unit. By allowing users to manipulate these fields, the 'security' verb + gives them the option to decide for themself which ids are more important and hence should have a + greater effect on the exposure level. A weight of 0 means the setting will not be + checked. + + +{ + "PrivateDevices": + { + "description_good": "Service has no access to hardware devices", + "description_bad": "Service potentially has access to hardware devices", + "weight": 1000, + "range": 1 + }, + "PrivateMounts": + { + "description_good": "Service cannot install system mounts", + "description_bad": "Service may install system mounts", + "weight": 1000, + "range": 1 + }, + "PrivateNetwork": + { + "description_good": "Service has no access to the host's network", + "description_bad": "Service has access to the host's network", + "weight": 2500, + "range": 1 + }, + "PrivateTmp": + { + "description_good": "Service has no access to other software's temporary files", + "description_bad": "Service has access to other software's temporary files", + "weight": 1000, + "range": 1 + }, + "PrivateUsers": + { + "description_good": "Service does not have access to other users", + "description_bad": "Service has access to other users", + "weight": 1000, + "range": 1 + } +} + + + + See Also