systemdlint
===========
|Build status| |PyPI version| |Python version| |Downloads| |Language
grade: Python|
Systemd Unitfile Linter
Usage
-----
.. code:: sh
usage: systemdlint [-h] [--nodropins] [--rootpath ROOTPATH] [--sversion SVERSION] [--output OUTPUT] [--norootfs] files [files ...]
Systemd Unitfile Linter
positional arguments:
files Files to parse
optional arguments:
-h, --help show this help message and exit
--nodropins Ignore Drop-Ins for parsing
--rootpath ROOTPATH Root path
--sversion SVERSION Version of Systemd to be used
--output OUTPUT Where to flush the findings (default: stderr)
--norootfs Run only unit file related tests
Why should I use it?
--------------------
Surely you can use ``systemd-analyze verify [unitname]`` to validate
your units - no problem and it’s the recommended way if you writing
units for the system you are currently running on. Unfortunately systemd
doesn’t offer a validation which doesn’t require an already running
version of systemd you want to validate against.
This tool was initially created to check units in cross-compiled
embedded images at build time, where you can’t run a copy of systemd (as
it’s cross-compiled). As a consequence it doesn’t use any systemd code
and might interpret some settings differently than systemd itself - as
with every linter take the outcomes as a basis for further analysis.
Also keep in mind, that systemd does create a larger stack of runtime
files, which are not taken into account by the tool - same for kernel
related information like /dev, /sys or /proc entries.
Furthermore the tool gives you advice how your unit files could be
hardened.
Installation
------------
PyPi
~~~~
simply run
.. code:: sh
pip3 install systemdlint
From source
~~~~~~~~~~~
- Install the needed requirements by running
``pip3 install systemdunitparser anytree``
- git clone this repository
- cd to <clone folder>/systemdlint
- run ``sudo ./build.sh``
Output
------
The tool will return
.. code:: sh
{file}:{line}:{severity} [{id}] - {message}
example:
.. code:: sh
/lib/systemd/system/console-shell.service:18:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported
/lib/systemd/system/plymouth-halt.service:11:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported
/lib/systemd/system/systemd-ask-password-console.service:12:warning [ReferencedUnitNotFound] - The Unit 'systemd-vconsole-setup.service' referenced was not found in filesystem
/lib/systemd/system/basic.target:19:warning [ReferencedUnitNotFound] - The Unit 'tmp.mount' referenced was not found in filesystem
The output format is configurable with ``--messageformat``, for example:
.. code:: sh
systemdlint --messageformat='{path}:{line}:{severity}:{msg}' ...
Detectable Errors
-----------------
- ConflictingOptions - The set option somehow is in conflict with
another unit
- ErrorCyclicDependency - Unit creates a cyclic dependency
- ExecNotFound - The referenced executable was not found on system
- FullPrivileges - An executable is run with full privileges
- InvalidNumericBase - A numeric value doesn’t match because it needs
to be a multiple of X
- InvalidSetting - The option doesn’t match the section
- InvalidValue - An invalid value is set
- MandatoryOptionMissing - A mandatory option was missing in the file
- Multiplicity - The option is not valid for the given amount of
options in this context
- NoExecutable - The referenced executable is NOT executable
- NoFailureCheck - An executable is run without checking for failures
- OptionDeprecated - The used option is not available anymore in this
version
- OptionTooNew - The used option will be available in a later version
than used
- ReferencedUnitNotFound - The unit referenced was not found in system
- Security.@clock - SystemCallFilter shouldn’t contain @clock
- Security.@cpu-emulation - SystemCallFilter shouldn’t contain
@cpu-emulation
- Security.@debug - SystemCallFilter shouldn’t contain @debug
- Security.@module - SystemCallFilter shouldn’t contain @module
- Security.@mount - SystemCallFilter shouldn’t contain @mount
- Security.@obsolete - SystemCallFilter shouldn’t contain @obsolete
- Security.@privileged - SystemCallFilter shouldn’t contain @privileged
- Security.@raw-io - SystemCallFilter shouldn’t contain @raw-io
- Security.@reboot - SystemCallFilter shouldn’t contain @reboot
- Security.@resources - SystemCallFilter shouldn’t contain @resources
- Security.@swap - SystemCallFilter shouldn’t contain @swap
- Security.AF_INET - RestrictAddressFamilies shouldn’t contain AF_INET
- Security.AF_INET6 - RestrictAddressFamilies shouldn’t contain
AF_INET6
- Security.AF_NETLINK - RestrictAddressFamilies shouldn’t contain
AF_NETLINK
- Security.AF_PACKET - RestrictAddressFamilies shouldn’t contain
AF_PACKET
- Security.AF_UNIX - RestrictAddressFamilies shouldn’t contain AF_UNIX
- Security.CAP_AUDIT_CONTROL - CapabilityBoundingSet shouldn’t contain
CAP_AUDIT_CONTROL
- Security.CAP_AUDIT_READ - CapabilityBoundingSet shouldn’t contain
CAP_AUDIT_READ
- Security.CAP_AUDIT_WRITE - CapabilityBoundingSet shouldn’t contain
CAP_AUDIT_WRITE
- Security.CAP_BLOCK_SUSPEND - CapabilityBoundingSet shouldn’t contain
CAP_BLOCK_SUSPEND
- Security.CAP_CHOWN - CapabilityBoundingSet shouldn’t contain
CAP_CHOWN
- Security.CAP_DAC_OVERRIDE - CapabilityBoundingSet shouldn’t contain
CAP_DAC_OVERRIDE
- Security.CAP_DAC_READ_SEARCH - CapabilityBoundingSet shouldn’t
contain CAP_DAC_READ_SEARCH
- Security.CAP_FOWNER - CapabilityBoundingSet shouldn’t contain
CAP_FOWNER
- Security.CAP_FSETID - CapabilityBoundingSet shouldn’t contain
CAP_FSETID
- Security.CAP_IPC_LOCK - CapabilityBoundingSet shouldn’t contain
CAP_IPC_LOCK
- Security.CAP_IPC_OWNER - CapabilityBoundingSet shouldn’t contain
CAP_IPC_OWNER
- Security.CAP_KILL - CapabilityBoundingSet shouldn’t contain CAP_KILL
- Security.CAP_LEASE - CapabilityBoundingSet shouldn’t contain
CAP_LEASE
- Security.CAP_LINUX_IMMUTABLE - CapabilityBoundingSet shouldn’t
contain CAP_LINUX_IMMUTABLE
- Security.CAP_MAC_ADMIN - CapabilityBoundingSet shouldn’t contain
CAP_MAC_ADMIN
- Security.CAP_MAC_OVERRIDE - CapabilityBoundingSet shouldn’t contain
CAP_MAC_OVERRIDE
- Security.CAP_MKNOD - CapabilityBoundingSet shouldn’t contain
CAP_MKNOD
- Security.CAP_NET_ADMIN - CapabilityBoundingSet shouldn’t contain
CAP_NET_ADMIN
- Security.CAP_NET_BIND_SERVICE - CapabilityBoundingSet shouldn’t
contain CAP_NET_BIND_SERVICE
- Security.CAP_NET_BROADCAST - CapabilityBoundingSet shouldn’t contain
CAP_NET_BROADCAST
- Security.CAP_NET_RAW - CapabilityBoundingSet shouldn’t contain
CAP_NET_RAW
- Security.CAP_RAWIO - CapabilityBoundingSet shouldn’t contain
CAP_RAWIO
- Security.CAP_SETFCAP - CapabilityBoundingSet shouldn’t contain
CAP_SETFCAP
- Security.CAP_SETGID - CapabilityBoundingSet shouldn’t contain
CAP_SETGID
- Security.CAP_SETPCAP - CapabilityBoundingSet shouldn’t contain
CAP_SETPCAP
- Security.CAP_SETUID - CapabilityBoundingSet shouldn’t contain
CAP_SETUID
- Security.CAP_SYS_ADMIN - CapabilityBoundingSet shouldn’t contain
CAP_SYS_ADMIN
- Security.CAP_SYS_BOOT - CapabilityBoundingSet shouldn’t contain
CAP_SYS_BOOT
- Security.CAP_SYS_CHROOT - CapabilityBoundingSet shouldn’t contain
CAP_SYS_CHROOT
- Security.CAP_SYS_MODULE - CapabilityBoundingSet shouldn’t contain
CAP_SYS_MODULE
- Security.CAP_SYS_NICE - CapabilityBoundingSet shouldn’t contain
CAP_SYS_NICE
- Security.CAP_SYS_PACCT - CapabilityBoundingSet shouldn’t contain
CAP_SYS_PACCT
- Security.CAP_SYS_PTRACE - CapabilityBoundingSet shouldn’t contain
CAP_SYS_PTRACE
- Security.CAP_SYS_RESOURCE - CapabilityBoundingSet shouldn’t contain
CAP_SYS_RESOURCE
- Security.CAP_SYS_TIME - CapabilityBoundingSet shouldn’t contain
CAP_SYS_TIME
- Security.CAP_SYS_TTY_CONFIG - CapabilityBoundingSet shouldn’t contain
CAP_SYS_TTY_CONFIG
- Security.CAP_SYSLOG - CapabilityBoundingSet shouldn’t contain
CAP_SYSLOG
- Security.CAP_WAKE_ALARM - CapabilityBoundingSet shouldn’t contain
CAP_WAKE_ALARM
- Security.CLONE_NEWCGROUP - RestrictNamespaces shouldn’t contain
CLONE_NEWCGROUP
- Security.CLONE_NEWIPC - RestrictNamespaces shouldn’t contain
CLONE_NEWIPC
- Security.CLONE_NEWNET - RestrictNamespaces shouldn’t contain
CLONE_NEWNET
- Security.CLONE_NEWNS - RestrictNamespaces shouldn’t contain
CLONE_NEWNS
- Security.CLONE_NEWPID - RestrictNamespaces shouldn’t contain
CLONE_NEWPID
- Security.CLONE_NEWUSER - RestrictNamespaces shouldn’t contain
CLONE_NEWUSER
- Security.CLONE_NEWUTS - RestrictNamespaces shouldn’t contain
CLONE_NEWUTS
- Security.Delegate - Delegate shall be set to yes
- Security.DevicePolicy - DevicePolicy should be set to closed
- Security.IPAddressDenyNA - IPAddressDeny shall be set
- Security.KeyringModeNA - KeyringMode shall be set
- Security.KeyringModeNPriv - KeyringMode shall be set to private
- Security.LockPersonality - LockPersonality shall be set to yes
- Security.MemoryDenyWriteExecute - MemoryDenyWriteExecute shall be set
to yes
- Security.NoNewPrivileges - NoNewPrivileges shall be set to yes
- Security.NotifyAccess - NotifyAccess=all should be avoided
- Security.NoUser - No user is set for the service
- Security.PrivateDevices - PrivateDevices shall be set to yes
- Security.PrivateMounts - PrivateMounts shall be set to yes
- Security.PrivateNetwork - PrivateNetwork shall be set to yes
- Security.PrivateTmp - PrivateTmp shall be set to yes
- Security.PrivateUsers - PrivateUsers shall be set to yes
- Security.ProtectClock - ProtectClock shall be set to yes
- Security.ProtectControlGroups - ProtectControlGroups shall be set to
yes
- Security.ProtectHomeNA - ProtectHome shall be set
- Security.ProtectHomeOff - ProtectHome shall be set to yes
- Security.ProtectHostname - ProtectHostname shall be set to yes
- Security.ProtectKernelLogs - ProtectKernelLogs shall be set to yes
- Security.ProtectKernelModules - ProtectKernelModules shall be set to
yes
- Security.ProtectKernelTunables - ProtectKernelTunables shall be set
to yes
- Security.ProtectSystemNA - ProtectSystem shall be set
- Security.ProtectSystemNStrict - ProtectSystem shall be set to strict
- Security.RemoveIPC - RemoveIPC should be activated
- Security.RestrictRealtime - RestrictRealtime shall be set to yes
- Security.RestrictSUIDSGID - RestrictSUIDSGID shall be set to yes
- Security.RootDirectory - RootDirectory or RootImage shall be set to a
non-root path
- Security.SupplementaryGroups - SupplementaryGroups shall be avoided
- Security.SystemCallArchitecturesMult - SystemCallArchitectures
shouldn’t be set for multiple archs
- Security.SystemCallArchitecturesNA - SystemCallArchitectures shall be
set
- Security.UMaskGR - Files created by service are group-readbale
- Security.UMaskGW - Files created by service are group-writeable
- Security.UMaskOR - Files created by service are world-readbale
- Security.UMaskOW - Files created by service are world-writeable
- Security.UserNobody - User nobody is set for the service
- Security.UserRoot - User root is set for the service
- SettingRequires - The option requires another option to be set
- SettingRestricted - The option can’t be set due to another option
- SyntaxError - The file is not parsable
- UnitSectionMissing - The Unit-section is missing in the file
- UnknownUnitType - The file extension of the file is not a known
systemd one
- WrongFileMask - The file has a risky filemode set
vscode extension
----------------
Find the extension in the
`marketplace <https://marketplace.visualstudio.com/items?itemName=kweihmann.systemdlint-vscode>`__,
or search for ``systemdlint-vscode``
.. |Build status| image:: https://github.com/priv-kweihmann/systemdlint/workflows/Build/badge.svg
.. |PyPI version| image:: https://badge.fury.io/py/systemdlint.svg
:target: https://badge.fury.io/py/systemdlint
.. |Python version| image:: https://img.shields.io/pypi/pyversions/systemdlint
:target: https://img.shields.io/pypi/pyversions/systemdlint
.. |Downloads| image:: https://img.shields.io/pypi/dm/systemdlint
:target: https://img.shields.io/pypi/dm/systemdlint
.. |Language grade: Python| image:: https://img.shields.io/lgtm/grade/python/g/priv-kweihmann/systemdlint.svg?logo=lgtm&logoWidth=18
:target: https://lgtm.com/projects/g/priv-kweihmann/systemdlint/context:python
Raw data
{
"_id": null,
"home_page": "https://github.com/priv-kweihmann/systemdlint",
"name": "systemdlint",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "",
"author": "Konrad Weihmann",
"author_email": "kweihmann@outlook.com",
"download_url": "https://files.pythonhosted.org/packages/c3/fa/991fe4226e719cd2b147b686e944c91e90fdd42f0914cf26f09942c45eaa/systemdlint-1.3.0.tar.gz",
"platform": null,
"description": "systemdlint\n===========\n\n|Build status| |PyPI version| |Python version| |Downloads| |Language\ngrade: Python|\n\nSystemd Unitfile Linter\n\nUsage\n-----\n\n.. code:: sh\n\n usage: systemdlint [-h] [--nodropins] [--rootpath ROOTPATH] [--sversion SVERSION] [--output OUTPUT] [--norootfs] files [files ...]\n\n Systemd Unitfile Linter\n\n positional arguments:\n files Files to parse\n\n optional arguments:\n -h, --help show this help message and exit\n --nodropins Ignore Drop-Ins for parsing\n --rootpath ROOTPATH Root path\n --sversion SVERSION Version of Systemd to be used\n --output OUTPUT Where to flush the findings (default: stderr)\n --norootfs Run only unit file related tests\n\nWhy should I use it?\n--------------------\n\nSurely you can use ``systemd-analyze verify [unitname]`` to validate\nyour units - no problem and it\u2019s the recommended way if you writing\nunits for the system you are currently running on. Unfortunately systemd\ndoesn\u2019t offer a validation which doesn\u2019t require an already running\nversion of systemd you want to validate against.\n\nThis tool was initially created to check units in cross-compiled\nembedded images at build time, where you can\u2019t run a copy of systemd (as\nit\u2019s cross-compiled). As a consequence it doesn\u2019t use any systemd code\nand might interpret some settings differently than systemd itself - as\nwith every linter take the outcomes as a basis for further analysis.\nAlso keep in mind, that systemd does create a larger stack of runtime\nfiles, which are not taken into account by the tool - same for kernel\nrelated information like /dev, /sys or /proc entries.\n\nFurthermore the tool gives you advice how your unit files could be\nhardened.\n\nInstallation\n------------\n\nPyPi\n~~~~\n\nsimply run\n\n.. code:: sh\n\n pip3 install systemdlint\n\nFrom source\n~~~~~~~~~~~\n\n- Install the needed requirements by running\n ``pip3 install systemdunitparser anytree``\n- git clone this repository\n- cd to <clone folder>/systemdlint\n- run ``sudo ./build.sh``\n\nOutput\n------\n\nThe tool will return\n\n.. code:: sh\n\n {file}:{line}:{severity} [{id}] - {message}\n\nexample:\n\n.. code:: sh\n\n /lib/systemd/system/console-shell.service:18:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported\n /lib/systemd/system/plymouth-halt.service:11:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported\n /lib/systemd/system/systemd-ask-password-console.service:12:warning [ReferencedUnitNotFound] - The Unit 'systemd-vconsole-setup.service' referenced was not found in filesystem\n /lib/systemd/system/basic.target:19:warning [ReferencedUnitNotFound] - The Unit 'tmp.mount' referenced was not found in filesystem\n\nThe output format is configurable with ``--messageformat``, for example:\n\n.. code:: sh\n\n systemdlint --messageformat='{path}:{line}:{severity}:{msg}' ...\n\nDetectable Errors\n-----------------\n\n- ConflictingOptions - The set option somehow is in conflict with\n another unit\n- ErrorCyclicDependency - Unit creates a cyclic dependency\n- ExecNotFound - The referenced executable was not found on system\n- FullPrivileges - An executable is run with full privileges\n- InvalidNumericBase - A numeric value doesn\u2019t match because it needs\n to be a multiple of X\n- InvalidSetting - The option doesn\u2019t match the section\n- InvalidValue - An invalid value is set\n- MandatoryOptionMissing - A mandatory option was missing in the file\n- Multiplicity - The option is not valid for the given amount of\n options in this context\n- NoExecutable - The referenced executable is NOT executable\n- NoFailureCheck - An executable is run without checking for failures\n- OptionDeprecated - The used option is not available anymore in this\n version\n- OptionTooNew - The used option will be available in a later version\n than used\n- ReferencedUnitNotFound - The unit referenced was not found in system\n- Security.@clock - SystemCallFilter shouldn\u2019t contain @clock\n- Security.@cpu-emulation - SystemCallFilter shouldn\u2019t contain\n @cpu-emulation\n- Security.@debug - SystemCallFilter shouldn\u2019t contain @debug\n- Security.@module - SystemCallFilter shouldn\u2019t contain @module\n- Security.@mount - SystemCallFilter shouldn\u2019t contain @mount\n- Security.@obsolete - SystemCallFilter shouldn\u2019t contain @obsolete\n- Security.@privileged - SystemCallFilter shouldn\u2019t contain @privileged\n- Security.@raw-io - SystemCallFilter shouldn\u2019t contain @raw-io\n- Security.@reboot - SystemCallFilter shouldn\u2019t contain @reboot\n- Security.@resources - SystemCallFilter shouldn\u2019t contain @resources\n- Security.@swap - SystemCallFilter shouldn\u2019t contain @swap\n- Security.AF_INET - RestrictAddressFamilies shouldn\u2019t contain AF_INET\n- Security.AF_INET6 - RestrictAddressFamilies shouldn\u2019t contain\n AF_INET6\n- Security.AF_NETLINK - RestrictAddressFamilies shouldn\u2019t contain\n AF_NETLINK\n- Security.AF_PACKET - RestrictAddressFamilies shouldn\u2019t contain\n AF_PACKET\n- Security.AF_UNIX - RestrictAddressFamilies shouldn\u2019t contain AF_UNIX\n- Security.CAP_AUDIT_CONTROL - CapabilityBoundingSet shouldn\u2019t contain\n CAP_AUDIT_CONTROL\n- Security.CAP_AUDIT_READ - CapabilityBoundingSet shouldn\u2019t contain\n CAP_AUDIT_READ\n- Security.CAP_AUDIT_WRITE - CapabilityBoundingSet shouldn\u2019t contain\n CAP_AUDIT_WRITE\n- Security.CAP_BLOCK_SUSPEND - CapabilityBoundingSet shouldn\u2019t contain\n CAP_BLOCK_SUSPEND\n- Security.CAP_CHOWN - CapabilityBoundingSet shouldn\u2019t contain\n CAP_CHOWN\n- Security.CAP_DAC_OVERRIDE - CapabilityBoundingSet shouldn\u2019t contain\n CAP_DAC_OVERRIDE\n- Security.CAP_DAC_READ_SEARCH - CapabilityBoundingSet shouldn\u2019t\n contain CAP_DAC_READ_SEARCH\n- Security.CAP_FOWNER - CapabilityBoundingSet shouldn\u2019t contain\n CAP_FOWNER\n- Security.CAP_FSETID - CapabilityBoundingSet shouldn\u2019t contain\n CAP_FSETID\n- Security.CAP_IPC_LOCK - CapabilityBoundingSet shouldn\u2019t contain\n CAP_IPC_LOCK\n- Security.CAP_IPC_OWNER - CapabilityBoundingSet shouldn\u2019t contain\n CAP_IPC_OWNER\n- Security.CAP_KILL - CapabilityBoundingSet shouldn\u2019t contain CAP_KILL\n- Security.CAP_LEASE - CapabilityBoundingSet shouldn\u2019t contain\n CAP_LEASE\n- Security.CAP_LINUX_IMMUTABLE - CapabilityBoundingSet shouldn\u2019t\n contain CAP_LINUX_IMMUTABLE\n- Security.CAP_MAC_ADMIN - CapabilityBoundingSet shouldn\u2019t contain\n CAP_MAC_ADMIN\n- Security.CAP_MAC_OVERRIDE - CapabilityBoundingSet shouldn\u2019t contain\n CAP_MAC_OVERRIDE\n- Security.CAP_MKNOD - CapabilityBoundingSet shouldn\u2019t contain\n CAP_MKNOD\n- Security.CAP_NET_ADMIN - CapabilityBoundingSet shouldn\u2019t contain\n CAP_NET_ADMIN\n- Security.CAP_NET_BIND_SERVICE - CapabilityBoundingSet shouldn\u2019t\n contain CAP_NET_BIND_SERVICE\n- Security.CAP_NET_BROADCAST - CapabilityBoundingSet shouldn\u2019t contain\n CAP_NET_BROADCAST\n- Security.CAP_NET_RAW - CapabilityBoundingSet shouldn\u2019t contain\n CAP_NET_RAW\n- Security.CAP_RAWIO - CapabilityBoundingSet shouldn\u2019t contain\n CAP_RAWIO\n- Security.CAP_SETFCAP - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SETFCAP\n- Security.CAP_SETGID - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SETGID\n- Security.CAP_SETPCAP - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SETPCAP\n- Security.CAP_SETUID - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SETUID\n- Security.CAP_SYS_ADMIN - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SYS_ADMIN\n- Security.CAP_SYS_BOOT - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SYS_BOOT\n- Security.CAP_SYS_CHROOT - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SYS_CHROOT\n- Security.CAP_SYS_MODULE - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SYS_MODULE\n- Security.CAP_SYS_NICE - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SYS_NICE\n- Security.CAP_SYS_PACCT - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SYS_PACCT\n- Security.CAP_SYS_PTRACE - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SYS_PTRACE\n- Security.CAP_SYS_RESOURCE - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SYS_RESOURCE\n- Security.CAP_SYS_TIME - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SYS_TIME\n- Security.CAP_SYS_TTY_CONFIG - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SYS_TTY_CONFIG\n- Security.CAP_SYSLOG - CapabilityBoundingSet shouldn\u2019t contain\n CAP_SYSLOG\n- Security.CAP_WAKE_ALARM - CapabilityBoundingSet shouldn\u2019t contain\n CAP_WAKE_ALARM\n- Security.CLONE_NEWCGROUP - RestrictNamespaces shouldn\u2019t contain\n CLONE_NEWCGROUP\n- Security.CLONE_NEWIPC - RestrictNamespaces shouldn\u2019t contain\n CLONE_NEWIPC\n- Security.CLONE_NEWNET - RestrictNamespaces shouldn\u2019t contain\n CLONE_NEWNET\n- Security.CLONE_NEWNS - RestrictNamespaces shouldn\u2019t contain\n CLONE_NEWNS\n- Security.CLONE_NEWPID - RestrictNamespaces shouldn\u2019t contain\n CLONE_NEWPID\n- Security.CLONE_NEWUSER - RestrictNamespaces shouldn\u2019t contain\n CLONE_NEWUSER\n- Security.CLONE_NEWUTS - RestrictNamespaces shouldn\u2019t contain\n CLONE_NEWUTS\n- Security.Delegate - Delegate shall be set to yes\n- Security.DevicePolicy - DevicePolicy should be set to closed\n- Security.IPAddressDenyNA - IPAddressDeny shall be set\n- Security.KeyringModeNA - KeyringMode shall be set\n- Security.KeyringModeNPriv - KeyringMode shall be set to private\n- Security.LockPersonality - LockPersonality shall be set to yes\n- Security.MemoryDenyWriteExecute - MemoryDenyWriteExecute shall be set\n to yes\n- Security.NoNewPrivileges - NoNewPrivileges shall be set to yes\n- Security.NotifyAccess - NotifyAccess=all should be avoided\n- Security.NoUser - No user is set for the service\n- Security.PrivateDevices - PrivateDevices shall be set to yes\n- Security.PrivateMounts - PrivateMounts shall be set to yes\n- Security.PrivateNetwork - PrivateNetwork shall be set to yes\n- Security.PrivateTmp - PrivateTmp shall be set to yes\n- Security.PrivateUsers - PrivateUsers shall be set to yes\n- Security.ProtectClock - ProtectClock shall be set to yes\n- Security.ProtectControlGroups - ProtectControlGroups shall be set to\n yes\n- Security.ProtectHomeNA - ProtectHome shall be set\n- Security.ProtectHomeOff - ProtectHome shall be set to yes\n- Security.ProtectHostname - ProtectHostname shall be set to yes\n- Security.ProtectKernelLogs - ProtectKernelLogs shall be set to yes\n- Security.ProtectKernelModules - ProtectKernelModules shall be set to\n yes\n- Security.ProtectKernelTunables - ProtectKernelTunables shall be set\n to yes\n- Security.ProtectSystemNA - ProtectSystem shall be set\n- Security.ProtectSystemNStrict - ProtectSystem shall be set to strict\n- Security.RemoveIPC - RemoveIPC should be activated\n- Security.RestrictRealtime - RestrictRealtime shall be set to yes\n- Security.RestrictSUIDSGID - RestrictSUIDSGID shall be set to yes\n- Security.RootDirectory - RootDirectory or RootImage shall be set to a\n non-root path\n- Security.SupplementaryGroups - SupplementaryGroups shall be avoided\n- Security.SystemCallArchitecturesMult - SystemCallArchitectures\n shouldn\u2019t be set for multiple archs\n- Security.SystemCallArchitecturesNA - SystemCallArchitectures shall be\n set\n- Security.UMaskGR - Files created by service are group-readbale\n- Security.UMaskGW - Files created by service are group-writeable\n- Security.UMaskOR - Files created by service are world-readbale\n- Security.UMaskOW - Files created by service are world-writeable\n- Security.UserNobody - User nobody is set for the service\n- Security.UserRoot - User root is set for the service\n- SettingRequires - The option requires another option to be set\n- SettingRestricted - The option can\u2019t be set due to another option\n- SyntaxError - The file is not parsable\n- UnitSectionMissing - The Unit-section is missing in the file\n- UnknownUnitType - The file extension of the file is not a known\n systemd one\n- WrongFileMask - The file has a risky filemode set\n\nvscode extension\n----------------\n\nFind the extension in the\n`marketplace <https://marketplace.visualstudio.com/items?itemName=kweihmann.systemdlint-vscode>`__,\nor search for ``systemdlint-vscode``\n\n.. |Build status| image:: https://github.com/priv-kweihmann/systemdlint/workflows/Build/badge.svg\n.. |PyPI version| image:: https://badge.fury.io/py/systemdlint.svg\n :target: https://badge.fury.io/py/systemdlint\n.. |Python version| image:: https://img.shields.io/pypi/pyversions/systemdlint\n :target: https://img.shields.io/pypi/pyversions/systemdlint\n.. |Downloads| image:: https://img.shields.io/pypi/dm/systemdlint\n :target: https://img.shields.io/pypi/dm/systemdlint\n.. |Language grade: Python| image:: https://img.shields.io/lgtm/grade/python/g/priv-kweihmann/systemdlint.svg?logo=lgtm&logoWidth=18\n :target: https://lgtm.com/projects/g/priv-kweihmann/systemdlint/context:python\n\n\n",
"bugtrack_url": null,
"license": "",
"summary": "Systemd Unitfile Linter",
"version": "1.3.0",
"project_urls": {
"Homepage": "https://github.com/priv-kweihmann/systemdlint"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "c3fa991fe4226e719cd2b147b686e944c91e90fdd42f0914cf26f09942c45eaa",
"md5": "533a9813e9afcdeed3dcb9ab71487495",
"sha256": "889a965cbd6529ce826374d11f6181e426ab98462148974d7890963bfdbc30e0"
},
"downloads": -1,
"filename": "systemdlint-1.3.0.tar.gz",
"has_sig": false,
"md5_digest": "533a9813e9afcdeed3dcb9ab71487495",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 47516,
"upload_time": "2024-02-18T07:25:02",
"upload_time_iso_8601": "2024-02-18T07:25:02.843186Z",
"url": "https://files.pythonhosted.org/packages/c3/fa/991fe4226e719cd2b147b686e944c91e90fdd42f0914cf26f09942c45eaa/systemdlint-1.3.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-02-18 07:25:02",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "priv-kweihmann",
"github_project": "systemdlint",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "systemdlint"
}
JSON
