I've been reading a blog from the renowned Daniel Aleksandersen at https://www.ctrl.blog/entry/systemd-service-hardening.html
The output from a Debian-10 based Appvm looks a little scary!! Should I be concerned? user@tmp3:~$ systemd-analyze security UNIT EXPOSURE PREDICATE HAPPY ModemManager.service 5.6 MEDIUM 😐 NetworkManager.service 7.6 EXPOSED 🙁 avahi-daemon.service 9.5 UNSAFE 😨 cron.service 9.5 UNSAFE 😨 cups-browsed.service 9.5 UNSAFE 😨 cups.service 9.5 UNSAFE 😨 dbus.service 9.5 UNSAFE 😨 dm-event.service 9.5 UNSAFE 😨 emergency.service 9.5 UNSAFE 😨 exim4.service 9.5 UNSAFE 😨 [email protected] 9.5 UNSAFE 😨 haveged.service 5.6 MEDIUM 😐 lvm2-lvmpolld.service 9.5 UNSAFE 😨 polkit.service 9.5 UNSAFE 😨 qubes-db.service 9.5 UNSAFE 😨 qubes-firewall.service 9.5 UNSAFE 😨 qubes-gui-agent.service 9.5 UNSAFE 😨 qubes-meminfo-writer.service 9.5 UNSAFE 😨 qubes-qrexec-agent.service 9.5 UNSAFE 😨 qubes-sync-time.service 9.5 UNSAFE 😨 qubes-updates-proxy.service 9.5 UNSAFE 😨 rc-local.service 9.5 UNSAFE 😨 rescue.service 9.5 UNSAFE 😨 rsyslog.service 9.5 UNSAFE 😨 rtkit-daemon.service 6.9 MEDIUM 😐 [email protected] 9.5 UNSAFE 😨 systemd-ask-password-console.service 9.3 UNSAFE 😨 systemd-ask-password-wall.service 9.3 UNSAFE 😨 systemd-fsckd.service 9.5 UNSAFE 😨 systemd-initctl.service 9.3 UNSAFE 😨 systemd-journald.service 4.3 OK 🙂 systemd-logind.service 4.1 OK 🙂 systemd-networkd.service 2.8 OK 🙂 systemd-timesyncd.service 2.0 OK 🙂 systemd-udevd.service 8.3 EXPOSED 🙁 tinyproxy.service 8.7 EXPOSED 🙁 udisks2.service 9.5 UNSAFE 😨 [email protected] 9.1 UNSAFE 😨 wpa_supplicant.service 9.5 UNSAFE 😨 xendriverdomain.service 9.5 UNSAFE 😨 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b5ef7ce43c466b45aa85567c01243739%40riseup.net.
