我正在按照 Lynis 审计的建议,使用 .针对 Ubuntu 20.04 强化现有的 systemd 服务systemd-analyze
。我想用来systemctl edit
进行更改,但systemd-analyze
不检测它们,而是仅在直接编辑服务文件时才检测它们。有什么方法可以链接/etc/systemd/system/我的服务.service.d/ 结果到主服务文件以便systemd-analyze
了解更改?
令人恶心的是,我正在做的事情如下:
sudo lynis audit system
抱怨的是:
[+] Boot and services
------------------------------------
...
- Check running services (systemctl) [ DONE ]
Result: found 42 running services
- Check enabled services at boot (systemctl) [ DONE ]
Result: found 70 enabled services
- Check startup files (permissions) [ OK ]
- Running 'systemd-analyze security'
...
- accounts-daemon.service: [ UNSAFE ]
...
Suggestions (24):
----------------------------
* Consider hardening system services [BOOT-5264]
- Details : Run '/usr/bin/systemd-analyze security SERVICE' for each service
https://cisofy.com/lynis/controls/BOOT-5264/
...
所以,我运行以下命令:
systemd-analyze security accounts-daemon.service
输出以下内容:
NAME DESCRIPTION >
✗ PrivateNetwork= Service has access to the host's network >
✗ User=/DynamicUser= Service runs as root user >
...
→ Overall exposure level for accounts-daemon.service: 9.6 UNSAFE