Package: systemd Version: 241-7~deb10u4 Tags: security, buster, bullseye Severity: wishlist
Dear Maintainers, Among others, /usr/bin/systemd-analyze can be called with "security" parameter which shows sandboxing settings of the loaded units on the scale from 0 to 10. On Debian v10.6 vast majority of the services are reported as "unsafe" with exposure score >9. This includes sshd, unattended-upgrades and others. Is there a plan to improve situation for Bullseye? I think maintainers of Whonix project, which is based on Debian, are using it for some services they ship in addition to base (sdwdate, onion-grater, etc). References: [1] https://forums.whonix.org/t/systemd-analyze-security/10395 [2] https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html [3] https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launcher/9008 -- With regards, A
