1<?xml version='1.0'?> <!--*-nxml-*--> 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> 4<!-- SPDX-License-Identifier: LGPL-2.1-or-later --> 5 6<refentry id="systemd-analyze" conditional='ENABLE_ANALYZE' 7 xmlns:xi="http://www.w3.org/2001/XInclude"> 8 9 <refentryinfo> 10 <title>systemd-analyze</title> 11 <productname>systemd</productname> 12 </refentryinfo> 13 14 <refmeta> 15 <refentrytitle>systemd-analyze</refentrytitle> 16 <manvolnum>1</manvolnum> 17 </refmeta> 18 19 <refnamediv> 20 <refname>systemd-analyze</refname> 21 <refpurpose>Analyze and debug system manager</refpurpose> 22 </refnamediv> 23 24 <refsynopsisdiv> 25 <cmdsynopsis> 26 <command>systemd-analyze</command> 27 <arg choice="opt" rep="repeat">OPTIONS</arg> 28 <arg>time</arg> 29 </cmdsynopsis> 30 <cmdsynopsis> 31 <command>systemd-analyze</command> 32 <arg choice="opt" rep="repeat">OPTIONS</arg> 33 <arg choice="plain">blame</arg> 34 </cmdsynopsis> 35 <cmdsynopsis> 36 <command>systemd-analyze</command> 37 <arg choice="opt" rep="repeat">OPTIONS</arg> 38 <arg choice="plain">critical-chain</arg> 39 <arg choice="opt" rep="repeat"><replaceable>UNIT</replaceable></arg> 40 </cmdsynopsis> 41 42 <cmdsynopsis> 43 <command>systemd-analyze</command> 44 <arg choice="opt" rep="repeat">OPTIONS</arg> 45 <arg choice="plain">dump</arg> 46 </cmdsynopsis> 47 48 <cmdsynopsis> 49 <command>systemd-analyze</command> 50 <arg choice="opt" rep="repeat">OPTIONS</arg> 51 <arg choice="plain">plot</arg> 52 <arg choice="opt">>file.svg</arg> 53 </cmdsynopsis> 54 <cmdsynopsis> 55 <command>systemd-analyze</command> 56 <arg choice="opt" rep="repeat">OPTIONS</arg> 57 <arg choice="plain">dot</arg> 58 <arg choice="opt" rep="repeat"><replaceable>PATTERN</replaceable></arg> 59 <arg choice="opt">>file.dot</arg> 60 </cmdsynopsis> 61 62 <cmdsynopsis> 63 <command>systemd-analyze</command> 64 <arg choice="opt" rep="repeat">OPTIONS</arg> 65 <arg choice="plain">unit-paths</arg> 66 </cmdsynopsis> 67 <cmdsynopsis> 68 <command>systemd-analyze</command> 69 <arg choice="opt" rep="repeat">OPTIONS</arg> 70 <arg choice="plain">exit-status</arg> 71 <arg choice="opt" rep="repeat"><replaceable>STATUS</replaceable></arg> 72 </cmdsynopsis> 73 <cmdsynopsis> 74 <command>systemd-analyze</command> 75 <arg choice="opt" rep="repeat">OPTIONS</arg> 76 <arg choice="plain">capability</arg> 77 <arg choice="opt" rep="repeat"><replaceable>CAPABILITY</replaceable></arg> 78 </cmdsynopsis> 79 <cmdsynopsis> 80 <command>systemd-analyze</command> 81 <arg choice="opt" rep="repeat">OPTIONS</arg> 82 <arg choice="plain">condition</arg> 83 <arg choice="plain"><replaceable>CONDITION</replaceable>…</arg> 84 </cmdsynopsis> 85 <cmdsynopsis> 86 <command>systemd-analyze</command> 87 <arg choice="opt" rep="repeat">OPTIONS</arg> 88 <arg choice="plain">syscall-filter</arg> 89 <arg choice="opt"><replaceable>SET</replaceable>…</arg> 90 </cmdsynopsis> 91 <cmdsynopsis> 92 <command>systemd-analyze</command> 93 <arg choice="opt" rep="repeat">OPTIONS</arg> 94 <arg choice="plain">filesystems</arg> 95 <arg choice="opt"><replaceable>SET</replaceable>…</arg> 96 </cmdsynopsis> 97 <cmdsynopsis> 98 <command>systemd-analyze</command> 99 <arg choice="opt" rep="repeat">OPTIONS</arg> 100 <arg choice="plain">calendar</arg> 101 <arg choice="plain" rep="repeat"><replaceable>SPEC</replaceable></arg> 102 </cmdsynopsis> 103 <cmdsynopsis> 104 <command>systemd-analyze</command> 105 <arg choice="opt" rep="repeat">OPTIONS</arg> 106 <arg choice="plain">timestamp</arg> 107 <arg choice="plain" rep="repeat"><replaceable>TIMESTAMP</replaceable></arg> 108 </cmdsynopsis> 109 <cmdsynopsis> 110 <command>systemd-analyze</command> 111 <arg choice="opt" rep="repeat">OPTIONS</arg> 112 <arg choice="plain">timespan</arg> 113 <arg choice="plain" rep="repeat"><replaceable>SPAN</replaceable></arg> 114 </cmdsynopsis> 115 <cmdsynopsis> 116 <command>systemd-analyze</command> 117 <arg choice="opt" rep="repeat">OPTIONS</arg> 118 <arg choice="plain">cat-config</arg> 119 <arg choice="plain" rep="repeat"><replaceable>NAME</replaceable>|<replaceable>PATH</replaceable></arg> 120 </cmdsynopsis> 121 <cmdsynopsis> 122 <command>systemd-analyze</command> 123 <arg choice="opt" rep="repeat">OPTIONS</arg> 124 <arg choice="plain">verify</arg> 125 <arg choice="opt" rep="repeat"><replaceable>FILE</replaceable></arg> 126 </cmdsynopsis> 127 <cmdsynopsis> 128 <command>systemd-analyze</command> 129 <arg choice="opt" rep="repeat">OPTIONS</arg> 130 <arg choice="plain">security</arg> 131 <arg choice="plain" rep="repeat"><replaceable>UNIT</replaceable></arg> 132 </cmdsynopsis> 133 </refsynopsisdiv> 134 135 <refsect1> 136 <title>Description</title> 137 138 <para><command>systemd-analyze</command> may be used to determine 139 system boot-up performance statistics and retrieve other state and 140 tracing information from the system and service manager, and to 141 verify the correctness of unit files. It is also used to access 142 special functions useful for advanced system manager debugging.</para> 143 144 <para>If no command is passed, <command>systemd-analyze 145 time</command> is implied.</para> 146 147 <refsect2> 148 <title><command>systemd-analyze time</command></title> 149 150 <para>This command prints the time spent in the kernel before userspace has been reached, the time 151 spent in the initial RAM disk (initrd) before normal system userspace has been reached, and the time 152 normal system userspace took to initialize. Note that these measurements simply measure the time passed 153 up to the point where all system services have been spawned, but not necessarily until they fully 154 finished initialization or the disk is idle.</para> 155 156 <example> 157 <title><command>Show how long the boot took</command></title> 158 159 <programlisting># in a container 160$ systemd-analyze time 161Startup finished in 296ms (userspace) 162multi-user.target reached after 275ms in userspace 163 164# on a real machine 165$ systemd-analyze time 166Startup finished in 2.584s (kernel) + 19.176s (initrd) + 47.847s (userspace) = 1min 9.608s 167multi-user.target reached after 47.820s in userspace 168</programlisting> 169 </example> 170 </refsect2> 171 172 <refsect2> 173 <title><command>systemd-analyze blame</command></title> 174 175 <para>This command prints a list of all running units, ordered by the time they took to initialize. 176 This information may be used to optimize boot-up times. Note that the output might be misleading as the 177 initialization of one service might be slow simply because it waits for the initialization of another 178 service to complete. Also note: <command>systemd-analyze blame</command> doesn't display results for 179 services with <varname>Type=simple</varname>, because systemd considers such services to be started 180 immediately, hence no measurement of the initialization delays can be done. Also note that this command 181 only shows the time units took for starting up, it does not show how long unit jobs spent in the 182 execution queue. In particular it shows the time units spent in <literal>activating</literal> state, 183 which is not defined for units such as device units that transition directly from 184 <literal>inactive</literal> to <literal>active</literal>. This command hence gives an impression of the 185 performance of program code, but cannot accurately reflect latency introduced by waiting for 186 hardware and similar events.</para> 187 188 <example> 189 <title><command>Show which units took the most time during boot</command></title> 190 191 <programlisting>$ systemd-analyze blame 192 32.875s pmlogger.service 193 20.905s systemd-networkd-wait-online.service 194 13.299s dev-vda1.device 195 ... 196 23ms sysroot.mount 197 11ms initrd-udevadm-cleanup-db.service 198 3ms sys-kernel-config.mount 199 </programlisting> 200 </example> 201 </refsect2> 202 203 <refsect2> 204 <title><command>systemd-analyze critical-chain <optional><replaceable>UNIT</replaceable>...</optional></command></title> 205 206 <para>This command prints a tree of the time-critical chain of units (for each of the specified 207 <replaceable>UNIT</replaceable>s or for the default target otherwise). The time after the unit is 208 active or started is printed after the "@" character. The time the unit takes to start is printed after 209 the "+" character. Note that the output might be misleading as the initialization of services might 210 depend on socket activation and because of the parallel execution of units. Also, similar to the 211 <command>blame</command> command, this only takes into account the time units spent in 212 <literal>activating</literal> state, and hence does not cover units that never went through an 213 <literal>activating</literal> state (such as device units that transition directly from 214 <literal>inactive</literal> to <literal>active</literal>). Moreover it does not show information on 215 jobs (and in particular not jobs that timed out).</para> 216 217 <example> 218 <title><command>systemd-analyze critical-chain</command></title> 219 220 <programlisting>$ systemd-analyze critical-chain 221multi-user.target @47.820s 222└─pmie.service @35.968s +548ms 223 └─pmcd.service @33.715s +2.247s 224 └─network-online.target @33.712s 225 └─systemd-networkd-wait-online.service @12.804s +20.905s 226 └─systemd-networkd.service @11.109s +1.690s 227 └─systemd-udevd.service @9.201s +1.904s 228 └─systemd-tmpfiles-setup-dev.service @7.306s +1.776s 229 └─kmod-static-nodes.service @6.976s +177ms 230 └─systemd-journald.socket 231 └─system.slice 232 └─-.slice 233</programlisting> 234 </example> 235 </refsect2> 236 237 <refsect2> 238 <title><command>systemd-analyze dump</command></title> 239 240 <para>This command outputs a (usually very long) human-readable serialization of the complete server 241 state. Its format is subject to change without notice and should not be parsed by applications.</para> 242 243 <example> 244 <title>Show the internal state of user manager</title> 245 246 <programlisting>$ systemd-analyze --user dump 247Timestamp userspace: Thu 2019-03-14 23:28:07 CET 248Timestamp finish: Thu 2019-03-14 23:28:07 CET 249Timestamp generators-start: Thu 2019-03-14 23:28:07 CET 250Timestamp generators-finish: Thu 2019-03-14 23:28:07 CET 251Timestamp units-load-start: Thu 2019-03-14 23:28:07 CET 252Timestamp units-load-finish: Thu 2019-03-14 23:28:07 CET 253-> Unit proc-timer_list.mount: 254 Description: /proc/timer_list 255 ... 256-> Unit default.target: 257 Description: Main user target 258... 259</programlisting> 260 </example> 261 </refsect2> 262 263 <refsect2> 264 <title><command>systemd-analyze plot</command></title> 265 266 <para>This command prints an SVG graphic detailing which system services have been started at what 267 time, highlighting the time they spent on initialization.</para> 268 269 <example> 270 <title><command>Plot a bootchart</command></title> 271 272 <programlisting>$ systemd-analyze plot >bootup.svg 273$ eog bootup.svg& 274</programlisting> 275 </example> 276 </refsect2> 277 278 <refsect2> 279 <title><command>systemd-analyze dot [<replaceable>pattern</replaceable>...]</command></title> 280 281 <para>This command generates textual dependency graph description in dot format for further processing 282 with the GraphViz 283 <citerefentry project='die-net'><refentrytitle>dot</refentrytitle><manvolnum>1</manvolnum></citerefentry> 284 tool. Use a command line like <command>systemd-analyze dot | dot -Tsvg >systemd.svg</command> to 285 generate a graphical dependency tree. Unless <option>--order</option> or <option>--require</option> is 286 passed, the generated graph will show both ordering and requirement dependencies. Optional pattern 287 globbing style specifications (e.g. <filename>*.target</filename>) may be given at the end. A unit 288 dependency is included in the graph if any of these patterns match either the origin or destination 289 node.</para> 290 291 <example> 292 <title>Plot all dependencies of any unit whose name starts with <literal>avahi-daemon</literal> 293 </title> 294 295 <programlisting>$ systemd-analyze dot 'avahi-daemon.*' | dot -Tsvg >avahi.svg 296$ eog avahi.svg</programlisting> 297 </example> 298 299 <example> 300 <title>Plot the dependencies between all known target units</title> 301 302 <programlisting>$ systemd-analyze dot --to-pattern='*.target' --from-pattern='*.target' \ 303 | dot -Tsvg >targets.svg 304$ eog targets.svg</programlisting> 305 </example> 306 </refsect2> 307 308 <refsect2> 309 <title><command>systemd-analyze unit-paths</command></title> 310 311 <para>This command outputs a list of all directories from which unit files, <filename>.d</filename> 312 overrides, and <filename>.wants</filename>, <filename>.requires</filename> symlinks may be 313 loaded. Combine with <option>--user</option> to retrieve the list for the user manager instance, and 314 <option>--global</option> for the global configuration of user manager instances.</para> 315 316 <example> 317 <title><command>Show all paths for generated units</command></title> 318 319 <programlisting>$ systemd-analyze unit-paths | grep '^/run' 320/run/systemd/system.control 321/run/systemd/transient 322/run/systemd/generator.early 323/run/systemd/system 324/run/systemd/system.attached 325/run/systemd/generator 326/run/systemd/generator.late 327</programlisting> 328 </example> 329 330 <para>Note that this verb prints the list that is compiled into <command>systemd-analyze</command> 331 itself, and does not communicate with the running manager. Use 332 <programlisting>systemctl [--user] [--global] show -p UnitPath --value</programlisting> 333 to retrieve the actual list that the manager uses, with any empty directories omitted.</para> 334 </refsect2> 335 336 <refsect2> 337 <title><command>systemd-analyze exit-status <optional><replaceable>STATUS</replaceable>...</optional></command></title> 338 339 <para>This command prints a list of exit statuses along with their "class", i.e. the source of the 340 definition (one of <literal>glibc</literal>, <literal>systemd</literal>, <literal>LSB</literal>, or 341 <literal>BSD</literal>), see the Process Exit Codes section in 342 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 343 If no additional arguments are specified, all known statuses are shown. Otherwise, only the 344 definitions for the specified codes are shown.</para> 345 346 <example> 347 <title><command>Show some example exit status names</command></title> 348 349 <programlisting>$ systemd-analyze exit-status 0 1 {63..65} 350NAME STATUS CLASS 351SUCCESS 0 glibc 352FAILURE 1 glibc 353- 63 - 354USAGE 64 BSD 355DATAERR 65 BSD 356</programlisting> 357 </example> 358 </refsect2> 359 360 <refsect2> 361 <title><command>systemd-analyze capability <optional><replaceable>CAPABILITY</replaceable>...</optional></command></title> 362 363 <para>This command prints a list of Linux capabilities along with their numeric IDs. See <citerefentry 364 project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> 365 for details. If no argument is specified the full list of capabilities known to the service manager and 366 the kernel is shown. Capabilities defined by the kernel but not known to the service manager are shown 367 as <literal>cap_???</literal>. Optionally, if arguments are specified they may refer to specific 368 cabilities by name or numeric ID, in which case only the indicated capabilities are shown in the 369 table.</para> 370 371 <example> 372 <title><command>Show some example capability names</command></title> 373 374 <programlisting>$ systemd-analyze capability 0 1 {30..32} 375NAME NUMBER 376cap_chown 0 377cap_dac_override 1 378cap_audit_control 30 379cap_setfcap 31 380cap_mac_override 32</programlisting> 381 </example> 382 </refsect2> 383 384 <refsect2> 385 <title><command>systemd-analyze condition <replaceable>CONDITION</replaceable>...</command></title> 386 387 <para>This command will evaluate <varname index="false">Condition*=...</varname> and 388 <varname index="false">Assert*=...</varname> assignments, and print their values, and 389 the resulting value of the combined condition set. See 390 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> 391 for a list of available conditions and asserts.</para> 392 393 <example> 394 <title>Evaluate conditions that check kernel versions</title> 395 396 <programlisting>$ systemd-analyze condition 'ConditionKernelVersion = ! <4.0' \ 397 'ConditionKernelVersion = >=5.1' \ 398 'ConditionACPower=|false' \ 399 'ConditionArchitecture=|!arm' \ 400 'AssertPathExists=/etc/os-release' 401test.service: AssertPathExists=/etc/os-release succeeded. 402Asserts succeeded. 403test.service: ConditionArchitecture=|!arm succeeded. 404test.service: ConditionACPower=|false failed. 405test.service: ConditionKernelVersion=>=5.1 succeeded. 406test.service: ConditionKernelVersion=!<4.0 succeeded. 407Conditions succeeded.</programlisting> 408 </example> 409 </refsect2> 410 411 <refsect2> 412 <title><command>systemd-analyze syscall-filter <optional><replaceable>SET</replaceable>...</optional></command></title> 413 414 <para>This command will list system calls contained in the specified system call set 415 <replaceable>SET</replaceable>, or all known sets if no sets are specified. Argument 416 <replaceable>SET</replaceable> must include the <literal>@</literal> prefix.</para> 417 </refsect2> 418 419 <refsect2> 420 <title><command>systemd-analyze filesystems <optional><replaceable>SET</replaceable>...</optional></command></title> 421 422 <para>This command will list filesystems in the specified filesystem set 423 <replaceable>SET</replaceable>, or all known sets if no sets are specified. Argument 424 <replaceable>SET</replaceable> must include the <literal>@</literal> prefix.</para> 425 </refsect2> 426 427 <refsect2> 428 <title><command>systemd-analyze calendar <replaceable>EXPRESSION</replaceable>...</command></title> 429 430 <para>This command will parse and normalize repetitive calendar time events, and will calculate when 431 they elapse next. This takes the same input as the <varname>OnCalendar=</varname> setting in 432 <citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>, 433 following the syntax described in 434 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>. By 435 default, only the next time the calendar expression will elapse is shown; use 436 <option>--iterations=</option> to show the specified number of next times the expression 437 elapses. Each time the expression elapses forms a timestamp, see the <command>timestamp</command> 438 verb below.</para> 439 440 <example> 441 <title>Show leap days in the near future</title> 442 443 <programlisting>$ systemd-analyze calendar --iterations=5 '*-2-29 0:0:0' 444 Original form: *-2-29 0:0:0 445Normalized form: *-02-29 00:00:00 446 Next elapse: Sat 2020-02-29 00:00:00 UTC 447 From now: 11 months 15 days left 448 Iter. #2: Thu 2024-02-29 00:00:00 UTC 449 From now: 4 years 11 months left 450 Iter. #3: Tue 2028-02-29 00:00:00 UTC 451 From now: 8 years 11 months left 452 Iter. #4: Sun 2032-02-29 00:00:00 UTC 453 From now: 12 years 11 months left 454 Iter. #5: Fri 2036-02-29 00:00:00 UTC 455 From now: 16 years 11 months left 456</programlisting> 457 </example> 458 </refsect2> 459 460 <refsect2> 461 <title><command>systemd-analyze timestamp <replaceable>TIMESTAMP</replaceable>...</command></title> 462 463 <para>This command parses a timestamp (i.e. a single point in time) and outputs the normalized form and 464 the difference between this timestamp and now. The timestamp should adhere to the syntax documented in 465 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>, 466 section "PARSING TIMESTAMPS".</para> 467 468 <example> 469 <title>Show parsing of timestamps</title> 470 471 <programlisting>$ systemd-analyze timestamp yesterday now tomorrow 472 Original form: yesterday 473Normalized form: Mon 2019-05-20 00:00:00 CEST 474 (in UTC): Sun 2019-05-19 22:00:00 UTC 475 UNIX seconds: @15583032000 476 From now: 1 day 9h ago 477 478 Original form: now 479Normalized form: Tue 2019-05-21 09:48:39 CEST 480 (in UTC): Tue 2019-05-21 07:48:39 UTC 481 UNIX seconds: @1558424919.659757 482 From now: 43us ago 483 484 Original form: tomorrow 485Normalized form: Wed 2019-05-22 00:00:00 CEST 486 (in UTC): Tue 2019-05-21 22:00:00 UTC 487 UNIX seconds: @15584760000 488 From now: 14h left 489</programlisting> 490 </example> 491 </refsect2> 492 493 <refsect2> 494 <title><command>systemd-analyze timespan <replaceable>EXPRESSION</replaceable>...</command></title> 495 496 <para>This command parses a time span (i.e. a difference between two timestamps) and outputs the 497 normalized form and the equivalent value in microseconds. The time span should adhere to the syntax 498 documented in 499 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>, 500 section "PARSING TIME SPANS". Values without units are parsed as seconds.</para> 501 502 <example> 503 <title>Show parsing of timespans</title> 504 505 <programlisting>$ systemd-analyze timespan 1s 300s '1year 0.000001s' 506Original: 1s 507 μs: 1000000 508 Human: 1s 509 510Original: 300s 511 μs: 300000000 512 Human: 5min 513 514Original: 1year 0.000001s 515 μs: 31557600000001 516 Human: 1y 1us 517</programlisting> 518 </example> 519 </refsect2> 520 521 <refsect2> 522 <title><command>systemd-analyze cat-config</command> 523 <replaceable>NAME</replaceable>|<replaceable>PATH</replaceable>...</title> 524 525 <para>This command is similar to <command>systemctl cat</command>, but operates on config files. It 526 will copy the contents of a config file and any drop-ins to standard output, using the usual systemd 527 set of directories and rules for precedence. Each argument must be either an absolute path including 528 the prefix (such as <filename>/etc/systemd/logind.conf</filename> or 529 <filename>/usr/lib/systemd/logind.conf</filename>), or a name relative to the prefix (such as 530 <filename>systemd/logind.conf</filename>).</para> 531 532 <example> 533 <title>Showing logind configuration</title> 534 <programlisting>$ systemd-analyze cat-config systemd/logind.conf 535# /etc/systemd/logind.conf 536... 537[Login] 538NAutoVTs=8 539... 540 541# /usr/lib/systemd/logind.conf.d/20-test.conf 542... some override from another package 543 544# /etc/systemd/logind.conf.d/50-override.conf 545... some administrator override 546 </programlisting> 547 </example> 548 </refsect2> 549 550 <refsect2> 551 <title><command>systemd-analyze verify <replaceable>FILE</replaceable>...</command></title> 552 553 <para>This command will load unit files and print warnings if any errors are detected. Files specified 554 on the command line will be loaded, but also any other units referenced by them. A unit's name on disk 555 can be overridden by specifying an alias after a colon; see below for an example. The full unit search 556 path is formed by combining the directories for all command line arguments, and the usual unit load 557 paths. The variable <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or 558 augment the compiled in set of unit load paths; see 559 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. All 560 units files present in the directories containing the command line arguments will be used in preference 561 to the other paths.</para> 562 563 <para>The following errors are currently detected:</para> 564 <itemizedlist> 565 <listitem><para>unknown sections and directives,</para></listitem> 566 567 <listitem><para>missing dependencies which are required to start the given unit,</para></listitem> 568 569 <listitem><para>man pages listed in <varname>Documentation=</varname> which are not found in the 570 system,</para></listitem> 571 572 <listitem><para>commands listed in <varname>ExecStart=</varname> and similar which are not found in 573 the system or not executable.</para></listitem> 574 </itemizedlist> 575 576 <example> 577 <title>Misspelt directives</title> 578 579 <programlisting>$ cat ./user.slice 580[Unit] 581WhatIsThis=11 582Documentation=man:nosuchfile(1) 583Requires=different.service 584 585[Service] 586Description=x 587 588$ systemd-analyze verify ./user.slice 589[./user.slice:9] Unknown lvalue 'WhatIsThis' in section 'Unit' 590[./user.slice:13] Unknown section 'Service'. Ignoring. 591Error: org.freedesktop.systemd1.LoadFailed: 592 Unit different.service failed to load: 593 No such file or directory. 594Failed to create user.slice/start: Invalid argument 595user.slice: man nosuchfile(1) command failed with code 16 596 </programlisting> 597 </example> 598 599 <example> 600 <title>Missing service units</title> 601 602 <programlisting>$ tail ./a.socket ./b.socket 603==> ./a.socket <== 604[Socket] 605ListenStream=100 606 607==> ./b.socket <== 608[Socket] 609ListenStream=100 610Accept=yes 611 612$ systemd-analyze verify ./a.socket ./b.socket 613Service a.service not loaded, a.socket cannot be started. 614Service b@0.service not loaded, b.socket cannot be started. 615 </programlisting> 616 </example> 617 618 <example> 619 <title>Aliasing a unit</title> 620 621 <programlisting>$ cat /tmp/source 622[Unit] 623Description=Hostname printer 624 625[Service] 626Type=simple 627ExecStart=/usr/bin/echo %H 628MysteryKey=true 629 630$ systemd-analyze verify /tmp/source 631Failed to prepare filename /tmp/source: Invalid argument 632 633$ systemd-analyze verify /tmp/source:alias.service 634/tmp/systemd-analyze-XXXXXX/alias.service:7: Unknown key name 'MysteryKey' in section 'Service', ignoring. 635 </programlisting> 636 </example> 637 638 </refsect2> 639 640 <refsect2> 641 <title><command>systemd-analyze security <optional><replaceable>UNIT</replaceable>...</optional></command></title> 642 643 <para>This command analyzes the security and sandboxing settings of one or more specified service 644 units. If at least one unit name is specified the security settings of the specified service units are 645 inspected and a detailed analysis is shown. If no unit name is specified, all currently loaded, 646 long-running service units are inspected and a terse table with results shown. The command checks for 647 various security-related service settings, assigning each a numeric "exposure level" value, depending 648 on how important a setting is. It then calculates an overall exposure level for the whole unit, which 649 is an estimation in the range 0.0…10.0 indicating how exposed a service is security-wise. High exposure 650 levels indicate very little applied sandboxing. Low exposure levels indicate tight sandboxing and 651 strongest security restrictions. Note that this only analyzes the per-service security features systemd 652 itself implements. This means that any additional security mechanisms applied by the service code 653 itself are not accounted for. The exposure level determined this way should not be misunderstood: a 654 high exposure level neither means that there is no effective sandboxing applied by the service code 655 itself, nor that the service is actually vulnerable to remote or local attacks. High exposure levels do 656 indicate however that most likely the service might benefit from additional settings applied to 657 them.</para> 658 659 <para>Please note that many of the security and sandboxing settings individually can be circumvented — 660 unless combined with others. For example, if a service retains the privilege to establish or undo mount 661 points many of the sandboxing options can be undone by the service code itself. Due to that is 662 essential that each service uses the most comprehensive and strict sandboxing and security settings 663 possible. The tool will take into account some of these combinations and relationships between the 664 settings, but not all. Also note that the security and sandboxing settings analyzed here only apply to 665 the operations executed by the service code itself. If a service has access to an IPC system (such as 666 D-Bus) it might request operations from other services that are not subject to the same 667 restrictions. Any comprehensive security and sandboxing analysis is hence incomplete if the IPC access 668 policy is not validated too.</para> 669 670 <example> 671 <title>Analyze <filename index="false">systemd-logind.service</filename></title> 672 673 <programlisting>$ systemd-analyze security --no-pager systemd-logind.service 674 NAME DESCRIPTION EXPOSURE 675✗ PrivateNetwork= Service has access to the host's network 0.5 676✗ User=/DynamicUser= Service runs as root user 0.4 677✗ DeviceAllow= Service has no device ACL 0.2 678✓ IPAddressDeny= Service blocks all IP address ranges 679... 680→ Overall exposure level for systemd-logind.service: 4.1 OK �� 681</programlisting> 682 </example> 683 </refsect2> 684 685 <refsect2> 686 <title><command>systemd-analyze inspect-elf <replaceable>FILE</replaceable>...</command></title> 687 688 <para>This command will load the specified file(s), and if they are ELF objects (executables, 689 libraries, core files, etc.) it will parse the embedded packaging metadata, if any, and print 690 it in a table or json format. See the <ulink url="https://systemd.io/COREDUMP_PACKAGE_METADATA/"> 691 Packaging Metadata</ulink> documentation for more information.</para> 692 693 <example> 694 <title>Table output</title> 695 696 <programlisting>$ systemd-analyze inspect-elf --json=pretty /tmp/core.fsverity.1000.f77dac5dc161402aa44e15b7dd9dcf97.58561.1637106137000000 697{ 698 "elfType" : "coredump", 699 "elfArchitecture" : "AMD x86-64", 700 "/home/bluca/git/fsverity-utils/fsverity" : { 701 "type" : "deb", 702 "name" : "fsverity-utils", 703 "version" : "1.3-1", 704 "buildId" : "7c895ecd2a271f93e96268f479fdc3c64a2ec4ee" 705 }, 706 "/home/bluca/git/fsverity-utils/libfsverity.so.0" : { 707 "type" : "deb", 708 "name" : "fsverity-utils", 709 "version" : "1.3-1", 710 "buildId" : "b5e428254abf14237b0ae70ed85fffbb98a78f88" 711 } 712} 713 </programlisting> 714 </example> 715 716 </refsect2> 717 </refsect1> 718 719 <refsect1> 720 <title>Options</title> 721 722 <para>The following options are understood:</para> 723 724 <variablelist> 725 <varlistentry> 726 <term><option>--system</option></term> 727 728 <listitem><para>Operates on the system systemd instance. This 729 is the implied default.</para></listitem> 730 </varlistentry> 731 732 <varlistentry> 733 <term><option>--user</option></term> 734 735 <listitem><para>Operates on the user systemd 736 instance.</para></listitem> 737 </varlistentry> 738 739 <varlistentry> 740 <term><option>--global</option></term> 741 742 <listitem><para>Operates on the system-wide configuration for 743 user systemd instance.</para></listitem> 744 </varlistentry> 745 746 <varlistentry> 747 <term><option>--order</option></term> 748 <term><option>--require</option></term> 749 750 <listitem><para>When used in conjunction with the 751 <command>dot</command> command (see above), selects which 752 dependencies are shown in the dependency graph. If 753 <option>--order</option> is passed, only dependencies of type 754 <varname>After=</varname> or <varname>Before=</varname> are 755 shown. If <option>--require</option> is passed, only 756 dependencies of type <varname>Requires=</varname>, 757 <varname>Requisite=</varname>, 758 <varname>Wants=</varname> and <varname>Conflicts=</varname> 759 are shown. If neither is passed, this shows dependencies of 760 all these types.</para></listitem> 761 </varlistentry> 762 763 <varlistentry> 764 <term><option>--from-pattern=</option></term> 765 <term><option>--to-pattern=</option></term> 766 767 <listitem><para>When used in conjunction with the 768 <command>dot</command> command (see above), this selects which 769 relationships are shown in the dependency graph. Both options 770 require a 771 <citerefentry project='man-pages'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry> 772 pattern as an argument, which will be matched against the 773 left-hand and the right-hand, respectively, nodes of a 774 relationship.</para> 775 776 <para>Each of these can be used more than once, in which case 777 the unit name must match one of the values. When tests for 778 both sides of the relation are present, a relation must pass 779 both tests to be shown. When patterns are also specified as 780 positional arguments, they must match at least one side of the 781 relation. In other words, patterns specified with those two 782 options will trim the list of edges matched by the positional 783 arguments, if any are given, and fully determine the list of 784 edges shown otherwise.</para></listitem> 785 </varlistentry> 786 787 <varlistentry> 788 <term><option>--fuzz=</option><replaceable>timespan</replaceable></term> 789 790 <listitem><para>When used in conjunction with the 791 <command>critical-chain</command> command (see above), also 792 show units, which finished <replaceable>timespan</replaceable> 793 earlier, than the latest unit in the same level. The unit of 794 <replaceable>timespan</replaceable> is seconds unless 795 specified with a different unit, e.g. 796 "50ms".</para></listitem> 797 </varlistentry> 798 799 <varlistentry> 800 <term><option>--man=no</option></term> 801 802 <listitem><para>Do not invoke 803 <citerefentry project='man-pages'><refentrytitle>man</refentrytitle><manvolnum>1</manvolnum></citerefentry> 804 to verify the existence of man pages listed in <varname>Documentation=</varname>.</para></listitem> 805 </varlistentry> 806 807 <varlistentry> 808 <term><option>--generators</option></term> 809 810 <listitem><para>Invoke unit generators, see 811 <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>. 812 Some generators require root privileges. Under a normal user, running with 813 generators enabled will generally result in some warnings.</para></listitem> 814 </varlistentry> 815 816 <varlistentry> 817 <term><option>--recursive-errors=<replaceable>MODE</replaceable></option></term> 818 819 <listitem><para>Control verification of units and their dependencies and whether 820 <command>systemd-analyze verify</command> exits with a non-zero process exit status or not. With 821 <command>yes</command>, return a non-zero process exit status when warnings arise during verification 822 of either the specified unit or any of its associated dependencies. With <command>no</command>, 823 return a non-zero process exit status when warnings arise during verification of only the specified 824 unit. With <command>one</command>, return a non-zero process exit status when warnings arise during 825 verification of either the specified unit or its immediate dependencies. If this option is not 826 specified, zero is returned as the exit status regardless whether warnings arise during verification 827 or not.</para></listitem> 828 </varlistentry> 829 830 <varlistentry> 831 <term><option>--root=<replaceable>PATH</replaceable></option></term> 832 833 <listitem><para>With <command>cat-files</command> and <command>verify</command>, 834 operate on files underneath the specified root path <replaceable>PATH</replaceable>.</para></listitem> 835 </varlistentry> 836 837 <varlistentry> 838 <term><option>--image=<replaceable>PATH</replaceable></option></term> 839 840 <listitem><para>With <command>cat-files</command> and <command>verify</command>, 841 operate on files inside the specified image path <replaceable>PATH</replaceable>.</para></listitem> 842 </varlistentry> 843 844 <varlistentry> 845 <term><option>--offline=<replaceable>BOOL</replaceable></option></term> 846 847 <listitem><para>With <command>security</command>, perform an offline security review 848 of the specified unit file(s), i.e. does not have to rely on PID 1 to acquire security 849 information for the files like the <command>security</command> verb when used by itself does. 850 This means that <option>--offline=</option> can be used with <option>--root=</option> and 851 <option>--image=</option> as well. If a unit's overall exposure level is above that set by 852 <option>--threshold=</option> (default value is 100), <option>--offline=</option> will return 853 an error.</para></listitem> 854 </varlistentry> 855 856 <varlistentry> 857 <term><option>--profile=<replaceable>PATH</replaceable></option></term> 858 859 <listitem><para>With <command>security</command> <option>--offline=</option>, takes into 860 consideration the specified portable profile when assessing the unit(s) settings. 861 The profile can be passed by name, in which case the well-known system locations will 862 be searched, or it can be the full path to a specific drop-in file.</para></listitem> 863 </varlistentry> 864 865 <varlistentry> 866 <term><option>--threshold=<replaceable>NUMBER</replaceable></option></term> 867 868 <listitem><para>With <command>security</command>, allow the user to set a custom value 869 to compare the overall exposure level with, for the specified unit file(s). If a unit's 870 overall exposure level, is greater than that set by the user, <command>security</command> 871 will return an error. <option>--threshold=</option> can be used with <option>--offline=</option> 872 as well and its default value is 100.</para></listitem> 873 </varlistentry> 874 875 <varlistentry> 876 <term><option>--security-policy=<replaceable>PATH</replaceable></option></term> 877 878 <listitem><para>With <command>security</command>, allow the user to define a custom set of 879 requirements formatted as a JSON file against which to compare the specified unit file(s) 880 and determine their overall exposure level to security threats.</para> 881 882 <table> 883 <title>Accepted Assessment Test Identifiers</title> 884 885 <tgroup cols='1'> 886 <colspec colname='directive' /> 887 <thead> 888 <row> 889 <entry>Assessment Test Identifier</entry> 890 </row> 891 </thead> 892 <tbody> 893 <row> 894 <entry>UserOrDynamicUser</entry> 895 </row> 896 <row> 897 <entry>SupplementaryGroups</entry> 898 </row> 899 <row> 900 <entry>PrivateMounts</entry> 901 </row> 902 <row> 903 <entry>PrivateDevices</entry> 904 </row> 905 <row> 906 <entry>PrivateTmp</entry> 907 </row> 908 <row> 909 <entry>PrivateNetwork</entry> 910 </row> 911 <row> 912 <entry>PrivateUsers</entry> 913 </row> 914 <row> 915 <entry>ProtectControlGroups</entry> 916 </row> 917 <row> 918 <entry>ProtectKernelModules</entry> 919 </row> 920 <row> 921 <entry>ProtectKernelTunables</entry> 922 </row> 923 <row> 924 <entry>ProtectKernelLogs</entry> 925 </row> 926 <row> 927 <entry>ProtectClock</entry> 928 </row> 929 <row> 930 <entry>ProtectHome</entry> 931 </row> 932 <row> 933 <entry>ProtectHostname</entry> 934 </row> 935 <row> 936 <entry>ProtectSystem</entry> 937 </row> 938 <row> 939 <entry>RootDirectoryOrRootImage</entry> 940 </row> 941 <row> 942 <entry>LockPersonality</entry> 943 </row> 944 <row> 945 <entry>MemoryDenyWriteExecute</entry> 946 </row> 947 <row> 948 <entry>NoNewPrivileges</entry> 949 </row> 950 <row> 951 <entry>CapabilityBoundingSet_CAP_SYS_ADMIN</entry> 952 </row> 953 <row> 954 <entry>CapabilityBoundingSet_CAP_SET_UID_GID_PCAP</entry> 955 </row> 956 <row> 957 <entry>CapabilityBoundingSet_CAP_SYS_PTRACE</entry> 958 </row> 959 <row> 960 <entry>CapabilityBoundingSet_CAP_SYS_TIME</entry> 961 </row> 962 <row> 963 <entry>CapabilityBoundingSet_CAP_NET_ADMIN</entry> 964 </row> 965 <row> 966 <entry>CapabilityBoundingSet_CAP_SYS_RAWIO</entry> 967 </row> 968 <row> 969 <entry>CapabilityBoundingSet_CAP_SYS_MODULE</entry> 970 </row> 971 <row> 972 <entry>CapabilityBoundingSet_CAP_AUDIT</entry> 973 </row> 974 <row> 975 <entry>CapabilityBoundingSet_CAP_SYSLOG</entry> 976 </row> 977 <row> 978 <entry>CapabilityBoundingSet_CAP_SYS_NICE_RESOURCE</entry> 979 </row> 980 <row> 981 <entry>CapabilityBoundingSet_CAP_MKNOD</entry> 982 </row> 983 <row> 984 <entry>CapabilityBoundingSet_CAP_CHOWN_FSETID_SETFCAP</entry> 985 </row> 986 <row> 987 <entry>CapabilityBoundingSet_CAP_DAC_FOWNER_IPC_OWNER</entry> 988 </row> 989 <row> 990 <entry>CapabilityBoundingSet_CAP_KILL</entry> 991 </row> 992 <row> 993 <entry>CapabilityBoundingSet_CAP_NET_BIND_SERVICE_BROADCAST_RAW</entry> 994 </row> 995 <row> 996 <entry>CapabilityBoundingSet_CAP_SYS_BOOT</entry> 997 </row> 998 <row> 999 <entry>CapabilityBoundingSet_CAP_MAC</entry> 1000 </row> 1001 <row> 1002 <entry>CapabilityBoundingSet_CAP_LINUX_IMMUTABLE</entry> 1003 </row> 1004 <row> 1005 <entry>CapabilityBoundingSet_CAP_IPC_LOCK</entry> 1006 </row> 1007 <row> 1008 <entry>CapabilityBoundingSet_CAP_SYS_CHROOT</entry> 1009 </row> 1010 <row> 1011 <entry>CapabilityBoundingSet_CAP_BLOCK_SUSPEND</entry> 1012 </row> 1013 <row> 1014 <entry>CapabilityBoundingSet_CAP_WAKE_ALARM</entry> 1015 </row> 1016 <row> 1017 <entry>CapabilityBoundingSet_CAP_LEASE</entry> 1018 </row> 1019 <row> 1020 <entry>CapabilityBoundingSet_CAP_SYS_TTY_CONFIG</entry> 1021 </row> 1022 <row> 1023 <entry>UMask</entry> 1024 </row> 1025 <row> 1026 <entry>KeyringMode</entry> 1027 </row> 1028 <row> 1029 <entry>ProtectProc</entry> 1030 </row> 1031 <row> 1032 <entry>ProcSubset</entry> 1033 </row> 1034 <row> 1035 <entry>NotifyAccess</entry> 1036 </row> 1037 <row> 1038 <entry>RemoveIPC</entry> 1039 </row> 1040 <row> 1041 <entry>Delegate</entry> 1042 </row> 1043 <row> 1044 <entry>RestrictRealtime</entry> 1045 </row> 1046 <row> 1047 <entry>RestrictSUIDSGID</entry> 1048 </row> 1049 <row> 1050 <entry>RestrictNamespaces_user</entry> 1051 </row> 1052 <row> 1053 <entry>RestrictNamespaces_mnt</entry> 1054 </row> 1055 <row> 1056 <entry>RestrictNamespaces_ipc</entry> 1057 </row> 1058 <row> 1059 <entry>RestrictNamespaces_pid</entry> 1060 </row> 1061 <row> 1062 <entry>RestrictNamespaces_cgroup</entry> 1063 </row> 1064 <row> 1065 <entry>RestrictNamespaces_uts</entry> 1066 </row> 1067 <row> 1068 <entry>RestrictNamespaces_net</entry> 1069 </row> 1070 <row> 1071 <entry>RestrictAddressFamilies_AF_INET_INET6</entry> 1072 </row> 1073 <row> 1074 <entry>RestrictAddressFamilies_AF_UNIX</entry> 1075 </row> 1076 <row> 1077 <entry>RestrictAddressFamilies_AF_NETLINK</entry> 1078 </row> 1079 <row> 1080 <entry>RestrictAddressFamilies_AF_PACKET</entry> 1081 </row> 1082 <row> 1083 <entry>RestrictAddressFamilies_OTHER</entry> 1084 </row> 1085 <row> 1086 <entry>SystemCallArchitectures</entry> 1087 </row> 1088 <row> 1089 <entry>SystemCallFilter_swap</entry> 1090 </row> 1091 <row> 1092 <entry>SystemCallFilter_obsolete</entry> 1093 </row> 1094 <row> 1095 <entry>SystemCallFilter_clock</entry> 1096 </row> 1097 <row> 1098 <entry>SystemCallFilter_cpu_emulation</entry> 1099 </row> 1100 <row> 1101 <entry>SystemCallFilter_debug</entry> 1102 </row> 1103 <row> 1104 <entry>SystemCallFilter_mount</entry> 1105 </row> 1106 <row> 1107 <entry>SystemCallFilter_module</entry> 1108 </row> 1109 <row> 1110 <entry>SystemCallFilter_raw_io</entry> 1111 </row> 1112 <row> 1113 <entry>SystemCallFilter_reboot</entry> 1114 </row> 1115 <row> 1116 <entry>SystemCallFilter_privileged</entry> 1117 </row> 1118 <row> 1119 <entry>SystemCallFilter_resources</entry> 1120 </row> 1121 <row> 1122 <entry>IPAddressDeny</entry> 1123 </row> 1124 <row> 1125 <entry>DeviceAllow</entry> 1126 </row> 1127 <row> 1128 <entry>AmbientCapabilities</entry> 1129 </row> 1130 </tbody> 1131 </tgroup> 1132 </table> 1133 1134 <para>See example "JSON Policy" below.</para></listitem> 1135 </varlistentry> 1136 1137 <varlistentry> 1138 <term><option>--json=<replaceable>MODE</replaceable></option></term> 1139 1140 <listitem><para>With the <command>security</command> command, generate a JSON formatted 1141 output of the security analysis table. The format is a JSON array with objects 1142 containing the following fields: <varname>set</varname> which indicates if the setting has 1143 been enabled or not, <varname>name</varname> which is what is used to refer to the setting, 1144 <varname>json_field</varname> which is the JSON compatible identifier of the setting, 1145 <varname>description</varname> which is an outline of the setting state, and 1146 <varname>exposure</varname> which is a number in the range 0.0…10.0, where a higher value 1147 corresponds to a higher security threat. The JSON version of the table is printed to standard 1148 output. The <replaceable>MODE</replaceable> passed to the option can be one of three: 1149 <option>off</option> which is the default, <option>pretty</option> and <option>short</option> 1150 which respectively output a prettified or shorted JSON version of the security table.</para></listitem> 1151 </varlistentry> 1152 1153 <varlistentry> 1154 <term><option>--iterations=<replaceable>NUMBER</replaceable></option></term> 1155 1156 <listitem><para>When used with the <command>calendar</command> command, show the specified number of 1157 iterations the specified calendar expression will elapse next. Defaults to 1.</para></listitem> 1158 </varlistentry> 1159 1160 <varlistentry> 1161 <term><option>--base-time=<replaceable>TIMESTAMP</replaceable></option></term> 1162 1163 <listitem><para>When used with the <command>calendar</command> command, show next iterations relative 1164 to the specified point in time. If not specified defaults to the current time.</para></listitem> 1165 </varlistentry> 1166 1167 <varlistentry> 1168 <term><option>--unit=<replaceable>UNIT</replaceable></option></term> 1169 1170 <listitem><para>When used with the <command>condition</command> command, evaluate all the 1171 <varname index="false">Condition*=...</varname> and <varname index="false">Assert*=...</varname> 1172 assignments in the specified unit file. The full unit search path is formed by combining the 1173 directories for the specified unit with the usual unit load paths. The variable 1174 <varname>$SYSTEMD_UNIT_PATH</varname> is supported, and may be used to replace or augment the 1175 compiled in set of unit load paths; see 1176 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. All 1177 units files present in the directory containing the specified unit will be used in preference to the 1178 other paths.</para></listitem> 1179 </varlistentry> 1180 1181 <xi:include href="user-system-options.xml" xpointer="host" /> 1182 <xi:include href="user-system-options.xml" xpointer="machine" /> 1183 1184 <varlistentry> 1185 <term><option>--quiet</option></term> 1186 1187 <listitem><para>Suppress hints and other non-essential output.</para></listitem> 1188 </varlistentry> 1189 1190 <xi:include href="standard-options.xml" xpointer="help" /> 1191 <xi:include href="standard-options.xml" xpointer="version" /> 1192 <xi:include href="standard-options.xml" xpointer="no-pager" /> 1193 </variablelist> 1194 1195 </refsect1> 1196 1197 <refsect1> 1198 <title>Exit status</title> 1199 1200 <para>On success, 0 is returned, a non-zero failure code 1201 otherwise.</para> 1202 </refsect1> 1203 1204 <xi:include href="common-variables.xml" /> 1205 1206 <refsect1> 1207 <title>Examples</title> 1208 1209 <example> 1210 <title>JSON Policy</title> 1211 1212 <para>The JSON file passed as a path parameter to <option>--security-policy=</option> has a top-level 1213 JSON object, with keys being the assessment test identifiers mentioned above. The values in the file 1214 should be JSON objects with one or more of the following fields: <option>description_na</option> 1215 (string), <option>description_good</option> (string), <option>description_bad</option> (string), 1216 <option>weight</option> (unsigned integer), and <option>range</option> (unsigned integer). If any of 1217 these fields corresponding to a specific id of the unit file is missing from the JSON object, the 1218 default built-in field value corresponding to that same id is used for security analysis as default. 1219 The weight and range fields are used in determining the overall exposure level of the unit files: the 1220 value of each setting is assigned a badness score, which is multiplied by the policy weight and divided 1221 by the policy range to determine the overall exposure that the setting implies. The computed badness is 1222 summed across all settings in the unit file, normalized to the 1…100 range, and used to determine the 1223 overall exposure level of the unit. By allowing users to manipulate these fields, the 'security' verb 1224 gives them the option to decide for themself which ids are more important and hence should have a 1225 greater effect on the exposure level. A weight of <literal>0</literal> means the setting will not be 1226 checked.</para> 1227 1228 <programlisting> 1229{ 1230 "PrivateDevices": 1231 { 1232 "description_good": "Service has no access to hardware devices", 1233 "description_bad": "Service potentially has access to hardware devices", 1234 "weight": 1000, 1235 "range": 1 1236 }, 1237 "PrivateMounts": 1238 { 1239 "description_good": "Service cannot install system mounts", 1240 "description_bad": "Service may install system mounts", 1241 "weight": 1000, 1242 "range": 1 1243 }, 1244 "PrivateNetwork": 1245 { 1246 "description_good": "Service has no access to the host's network", 1247 "description_bad": "Service has access to the host's network", 1248 "weight": 2500, 1249 "range": 1 1250 }, 1251 "PrivateTmp": 1252 { 1253 "description_good": "Service has no access to other software's temporary files", 1254 "description_bad": "Service has access to other software's temporary files", 1255 "weight": 1000, 1256 "range": 1 1257 }, 1258 "PrivateUsers": 1259 { 1260 "description_good": "Service does not have access to other users", 1261 "description_bad": "Service has access to other users", 1262 "weight": 1000, 1263 "range": 1 1264 } 1265} 1266 </programlisting> 1267 </example> 1268 </refsect1> 1269 1270 <refsect1> 1271 <title>See Also</title> 1272 <para> 1273 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 1274 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> 1275 </para> 1276 </refsect1> 1277 1278</refentry> 1279
