Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [root@mk-a07n02 ~]# systemd-analyze security pacemaker
- NAME DESCRIPTION EXPOSURE
- ✗ PrivateNetwork= Service has access to the host's network 0.5
- ✗ User=/DynamicUser= Service runs as root user 0.4
- ✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capabilities 0.3
- ✗ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has administrator privileges 0.3
- ✗ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has ptrace() debugging abilities 0.3
- ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
- ✗ RestrictNamespaces=~CLONE_NEWUSER Service may create user namespaces 0.3
- ✗ RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3
- ✗ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service may change file ownership/access mode/capabilities unrestricted 0.2
- ✗ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service may override UNIX file/IPC permission checks 0.2
- ✗ CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration privileges 0.2
- ✗ CapabilityBoundingSet=~CAP_RAWIO Service has raw I/O access 0.2
- ✗ CapabilityBoundingSet=~CAP_SYS_MODULE Service may load kernel modules 0.2
- ✗ CapabilityBoundingSet=~CAP_SYS_TIME Service processes may change the system clock 0.2
- ✗ DeviceAllow= Service has no device ACL 0.2
- ✗ IPAddressDeny= Service does not define an IP address whitelist 0.2
- ✓ KeyringMode= Service doesn't share key material with other services
- ✗ NoNewPrivileges= Service processes may acquire new privileges 0.2
- ✓ NotifyAccess= Service child processes cannot alter service state
- ✗ PrivateDevices= Service potentially has access to hardware devices 0.2
- ✗ PrivateMounts= Service may install system mounts 0.2
- ✗ PrivateTmp= Service has access to other software's temporary files 0.2
- ✗ PrivateUsers= Service has access to other users 0.2
- ✗ ProtectControlGroups= Service may modify to the control group file system 0.2
- ✗ ProtectHome= Service has full access to home directories 0.2
- ✗ ProtectKernelModules= Service may load or read kernel modules 0.2
- ✗ ProtectKernelTunables= Service may alter kernel tunables 0.2
- ✗ ProtectSystem= Service has full access the OS file hierarchy 0.2
- ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2
- ✗ RestrictSUIDSGID= Service may create SUID/SGID files 0.2
- ✗ SystemCallArchitectures= Service may execute system calls with all ABIs 0.2
- ✗ SystemCallFilter=~@clock Service does not filter system calls 0.2
- ✗ SystemCallFilter=~@debug Service does not filter system calls 0.2
- ✗ SystemCallFilter=~@module Service does not filter system calls 0.2
- ✗ SystemCallFilter=~@mount Service does not filter system calls 0.2
- ✗ SystemCallFilter=~@raw-io Service does not filter system calls 0.2
- ✗ SystemCallFilter=~@reboot Service does not filter system calls 0.2
- ✗ SystemCallFilter=~@swap Service does not filter system calls 0.2
- ✗ SystemCallFilter=~@privileged Service does not filter system calls 0.2
- ✗ SystemCallFilter=~@resources Service does not filter system calls 0.2
- ✓ AmbientCapabilities= Service process does not receive ambient capabilities
- ✗ CapabilityBoundingSet=~CAP_AUDIT_* Service has audit subsystem access 0.1
- ✗ CapabilityBoundingSet=~CAP_KILL Service may send UNIX signals to arbitrary processes 0.1
- ✗ CapabilityBoundingSet=~CAP_MKNOD Service may create device nodes 0.1
- ✗ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1
- ✗ CapabilityBoundingSet=~CAP_SYSLOG Service has access to kernel logging 0.1
- ✗ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has privileges to change resource use parameters 0.1
- ✗ RestrictNamespaces=~CLONE_NEWCGROUP Service may create cgroup namespaces 0.1
- ✗ RestrictNamespaces=~CLONE_NEWIPC Service may create IPC namespaces 0.1
- ✗ RestrictNamespaces=~CLONE_NEWNET Service may create network namespaces 0.1
- ✗ RestrictNamespaces=~CLONE_NEWNS Service may create file system namespaces 0.1
- ✗ RestrictNamespaces=~CLONE_NEWPID Service may create process namespaces 0.1
- ✗ RestrictRealtime= Service may acquire realtime scheduling 0.1
- ✗ SystemCallFilter=~@cpu-emulation Service does not filter system calls 0.1
- ✗ SystemCallFilter=~@obsolete Service does not filter system calls 0.1
- ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
- ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
- SupplementaryGroups= Service runs as root, option does not matter
- ✗ CapabilityBoundingSet=~CAP_MAC_* Service may adjust SMACK MAC 0.1
- ✗ CapabilityBoundingSet=~CAP_SYS_BOOT Service may issue reboot() 0.1
- ✓ Delegate= Service does not maintain its own delegated control group subtree
- ✗ LockPersonality= Service may change ABI personality 0.1
- ✗ MemoryDenyWriteExecute= Service may create writable executable memory mappings 0.1
- RemoveIPC= Service runs as root, option does not apply
- ✗ RestrictNamespaces=~CLONE_NEWUTS Service may create hostname namespaces 0.1
- ✗ UMask= Files created by service are world-readable by default 0.1
- ✗ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service may mark files immutable 0.1
- ✗ CapabilityBoundingSet=~CAP_IPC_LOCK Service may lock memory into RAM 0.1
- ✗ CapabilityBoundingSet=~CAP_SYS_CHROOT Service may issue chroot() 0.1
- ✗ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service may establish wake locks 0.1
- ✗ CapabilityBoundingSet=~CAP_LEASE Service may create file leases 0.1
- ✗ CapabilityBoundingSet=~CAP_SYS_PACCT Service may use acct() 0.1
- ✗ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service may issue vhangup() 0.1
- ✗ CapabilityBoundingSet=~CAP_WAKE_ALARM Service may program timers that wake up the system 0.1
- ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
- → Overall exposure level for pacemaker.service: 9.6 UNSAFE 😨
- [root@mk-a07n02 ~]#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement