Awesome

systemdlint

Systemd Unitfile Linter

Usage

usage: systemdlint [-h] [--nodropins] [--rootpath ROOTPATH] [--sversion SVERSION] [--output OUTPUT] [--norootfs] files [files ...]

Systemd Unitfile Linter

positional arguments:
  files                Files to parse

optional arguments:
  -h, --help           show this help message and exit
  --nodropins          Ignore Drop-Ins for parsing
  --rootpath ROOTPATH  Root path
  --sversion SVERSION  Version of Systemd to be used
  --output OUTPUT      Where to flush the findings (default: stderr)
  --norootfs           Run only unit file related tests

Why should I use it?

Surely you can use systemd-analyze verify [unitname] to validate your units - no problem and it's the recommended way if you writing units for the system you are currently running on. Unfortunately systemd doesn't offer a validation which doesn't require an already running version of systemd you want to validate against.

This tool was initially created to check units in cross-compiled embedded images at build time, where you can't run a copy of systemd (as it's cross-compiled). As a consequence it doesn't use any systemd code and might interpret some settings differently than systemd itself - as with every linter take the outcomes as a basis for further analysis. Also keep in mind, that systemd does create a larger stack of runtime files, which are not taken into account by the tool - same for kernel related information like /dev, /sys or /proc entries.

Furthermore the tool gives you advice how your unit files could be hardened.

Installation

PyPi

simply run

pip3 install systemdlint

From source

Install the needed requirements by running pip3 install systemdunitparser anytree
git clone this repository
cd to <clone folder>/systemdlint
run sudo ./build.sh

Output

The tool will return

{file}:{line}:{severity} [{id}] - {message}

example:

/lib/systemd/system/console-shell.service:18:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported
/lib/systemd/system/plymouth-halt.service:11:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported
/lib/systemd/system/systemd-ask-password-console.service:12:warning [ReferencedUnitNotFound] - The Unit 'systemd-vconsole-setup.service' referenced was not found in filesystem
/lib/systemd/system/basic.target:19:warning [ReferencedUnitNotFound] - The Unit 'tmp.mount' referenced was not found in filesystem

The output format is configurable with --messageformat, for example:

systemdlint --messageformat='{path}:{line}:{severity}:{msg}' ...

Detectable Errors

ConflictingOptions - The set option somehow is in conflict with another unit
ErrorCyclicDependency - Unit creates a cyclic dependency
ExecNotFound - The referenced executable was not found on system
FullPrivileges - An executable is run with full privileges
InvalidNumericBase - A numeric value doesn't match because it needs to be a multiple of X
InvalidSetting - The option doesn't match the section
InvalidValue - An invalid value is set
MandatoryOptionMissing - A mandatory option was missing in the file
Multiplicity - The option is not valid for the given amount of options in this context
NoExecutable - The referenced executable is NOT executable
NoFailureCheck - An executable is run without checking for failures
OptionDeprecated - The used option is not available anymore in this version
OptionTooNew - The used option will be available in a later version than used
ReferencedUnitNotFound - The unit referenced was not found in system
Security.@clock - SystemCallFilter shouldn't contain @clock
Security.@cpu-emulation - SystemCallFilter shouldn't contain @cpu-emulation
Security.@debug - SystemCallFilter shouldn't contain @debug
Security.@module - SystemCallFilter shouldn't contain @module
Security.@mount - SystemCallFilter shouldn't contain @mount
Security.@obsolete - SystemCallFilter shouldn't contain @obsolete
Security.@privileged - SystemCallFilter shouldn't contain @privileged
Security.@raw-io - SystemCallFilter shouldn't contain @raw-io
Security.@reboot - SystemCallFilter shouldn't contain @reboot
Security.@resources - SystemCallFilter shouldn't contain @resources
Security.@swap - SystemCallFilter shouldn't contain @swap
Security.AF_INET - RestrictAddressFamilies shouldn't contain AF_INET
Security.AF_INET6 - RestrictAddressFamilies shouldn't contain AF_INET6
Security.AF_NETLINK - RestrictAddressFamilies shouldn't contain AF_NETLINK
Security.AF_PACKET - RestrictAddressFamilies shouldn't contain AF_PACKET
Security.AF_UNIX - RestrictAddressFamilies shouldn't contain AF_UNIX
Security.CAP_AUDIT_CONTROL - CapabilityBoundingSet shouldn't contain CAP_AUDIT_CONTROL
Security.CAP_AUDIT_READ - CapabilityBoundingSet shouldn't contain CAP_AUDIT_READ
Security.CAP_AUDIT_WRITE - CapabilityBoundingSet shouldn't contain CAP_AUDIT_WRITE
Security.CAP_BLOCK_SUSPEND - CapabilityBoundingSet shouldn't contain CAP_BLOCK_SUSPEND
Security.CAP_CHOWN - CapabilityBoundingSet shouldn't contain CAP_CHOWN
Security.CAP_DAC_OVERRIDE - CapabilityBoundingSet shouldn't contain CAP_DAC_OVERRIDE
Security.CAP_DAC_READ_SEARCH - CapabilityBoundingSet shouldn't contain CAP_DAC_READ_SEARCH
Security.CAP_FOWNER - CapabilityBoundingSet shouldn't contain CAP_FOWNER
Security.CAP_FSETID - CapabilityBoundingSet shouldn't contain CAP_FSETID
Security.CAP_IPC_LOCK - CapabilityBoundingSet shouldn't contain CAP_IPC_LOCK
Security.CAP_IPC_OWNER - CapabilityBoundingSet shouldn't contain CAP_IPC_OWNER
Security.CAP_KILL - CapabilityBoundingSet shouldn't contain CAP_KILL
Security.CAP_LEASE - CapabilityBoundingSet shouldn't contain CAP_LEASE
Security.CAP_LINUX_IMMUTABLE - CapabilityBoundingSet shouldn't contain CAP_LINUX_IMMUTABLE
Security.CAP_MAC_ADMIN - CapabilityBoundingSet shouldn't contain CAP_MAC_ADMIN
Security.CAP_MAC_OVERRIDE - CapabilityBoundingSet shouldn't contain CAP_MAC_OVERRIDE
Security.CAP_MKNOD - CapabilityBoundingSet shouldn't contain CAP_MKNOD
Security.CAP_NET_ADMIN - CapabilityBoundingSet shouldn't contain CAP_NET_ADMIN
Security.CAP_NET_BIND_SERVICE - CapabilityBoundingSet shouldn't contain CAP_NET_BIND_SERVICE
Security.CAP_NET_BROADCAST - CapabilityBoundingSet shouldn't contain CAP_NET_BROADCAST
Security.CAP_NET_RAW - CapabilityBoundingSet shouldn't contain CAP_NET_RAW
Security.CAP_RAWIO - CapabilityBoundingSet shouldn't contain CAP_RAWIO
Security.CAP_SETFCAP - CapabilityBoundingSet shouldn't contain CAP_SETFCAP
Security.CAP_SETGID - CapabilityBoundingSet shouldn't contain CAP_SETGID
Security.CAP_SETPCAP - CapabilityBoundingSet shouldn't contain CAP_SETPCAP
Security.CAP_SETUID - CapabilityBoundingSet shouldn't contain CAP_SETUID
Security.CAP_SYS_ADMIN - CapabilityBoundingSet shouldn't contain CAP_SYS_ADMIN
Security.CAP_SYS_BOOT - CapabilityBoundingSet shouldn't contain CAP_SYS_BOOT
Security.CAP_SYS_CHROOT - CapabilityBoundingSet shouldn't contain CAP_SYS_CHROOT
Security.CAP_SYS_MODULE - CapabilityBoundingSet shouldn't contain CAP_SYS_MODULE
Security.CAP_SYS_NICE - CapabilityBoundingSet shouldn't contain CAP_SYS_NICE
Security.CAP_SYS_PACCT - CapabilityBoundingSet shouldn't contain CAP_SYS_PACCT
Security.CAP_SYS_PTRACE - CapabilityBoundingSet shouldn't contain CAP_SYS_PTRACE
Security.CAP_SYS_RESOURCE - CapabilityBoundingSet shouldn't contain CAP_SYS_RESOURCE
Security.CAP_SYS_TIME - CapabilityBoundingSet shouldn't contain CAP_SYS_TIME
Security.CAP_SYS_TTY_CONFIG - CapabilityBoundingSet shouldn't contain CAP_SYS_TTY_CONFIG
Security.CAP_SYSLOG - CapabilityBoundingSet shouldn't contain CAP_SYSLOG
Security.CAP_WAKE_ALARM - CapabilityBoundingSet shouldn't contain CAP_WAKE_ALARM
Security.CLONE_NEWCGROUP - RestrictNamespaces shouldn't contain CLONE_NEWCGROUP
Security.CLONE_NEWIPC - RestrictNamespaces shouldn't contain CLONE_NEWIPC
Security.CLONE_NEWNET - RestrictNamespaces shouldn't contain CLONE_NEWNET
Security.CLONE_NEWNS - RestrictNamespaces shouldn't contain CLONE_NEWNS
Security.CLONE_NEWPID - RestrictNamespaces shouldn't contain CLONE_NEWPID
Security.CLONE_NEWUSER - RestrictNamespaces shouldn't contain CLONE_NEWUSER
Security.CLONE_NEWUTS - RestrictNamespaces shouldn't contain CLONE_NEWUTS
Security.Delegate - Delegate shall be set to yes
Security.DevicePolicy - DevicePolicy should be set to closed
Security.IPAddressDenyNA - IPAddressDeny shall be set
Security.KeyringModeNA - KeyringMode shall be set
Security.KeyringModeNPriv - KeyringMode shall be set to private
Security.LockPersonality - LockPersonality shall be set to yes
Security.MemoryDenyWriteExecute - MemoryDenyWriteExecute shall be set to yes
Security.NoNewPrivileges - NoNewPrivileges shall be set to yes
Security.NotifyAccess - NotifyAccess=all should be avoided
Security.NoUser - No user is set for the service
Security.PrivateDevices - PrivateDevices shall be set to yes
Security.PrivateMounts - PrivateMounts shall be set to yes
Security.PrivateNetwork - PrivateNetwork shall be set to yes
Security.PrivateTmp - PrivateTmp shall be set to yes
Security.PrivateUsers - PrivateUsers shall be set to yes
Security.ProtectClock - ProtectClock shall be set to yes
Security.ProtectControlGroups - ProtectControlGroups shall be set to yes
Security.ProtectHomeNA - ProtectHome shall be set
Security.ProtectHomeOff - ProtectHome shall be set to yes
Security.ProtectHostname - ProtectHostname shall be set to yes
Security.ProtectKernelLogs - ProtectKernelLogs shall be set to yes
Security.ProtectKernelModules - ProtectKernelModules shall be set to yes
Security.ProtectKernelTunables - ProtectKernelTunables shall be set to yes
Security.ProtectSystemNA - ProtectSystem shall be set
Security.ProtectSystemNStrict - ProtectSystem shall be set to strict
Security.RemoveIPC - RemoveIPC should be activated
Security.RestrictRealtime - RestrictRealtime shall be set to yes
Security.RestrictSUIDSGID - RestrictSUIDSGID shall be set to yes
Security.RootDirectory - RootDirectory or RootImage shall be set to a non-root path
Security.SupplementaryGroups - SupplementaryGroups shall be avoided
Security.SystemCallArchitecturesMult - SystemCallArchitectures shouldn't be set for multiple archs
Security.SystemCallArchitecturesNA - SystemCallArchitectures shall be set
Security.UMaskGR - Files created by service are group-readbale
Security.UMaskGW - Files created by service are group-writeable
Security.UMaskOR - Files created by service are world-readbale
Security.UMaskOW - Files created by service are world-writeable
Security.UserNobody - User nobody is set for the service
Security.UserRoot - User root is set for the service
SettingRequires - The option requires another option to be set
SettingRestricted - The option can't be set due to another option
SyntaxError - The file is not parsable
UnitSectionMissing - The Unit-section is missing in the file
UnknownUnitType - The file extension of the file is not a known systemd one
WrongFileMask - The file has a risky filemode set

vscode extension

Find the extension in the marketplace, or search for systemdlint-vscode