Author Topic: systemd-analyze security returns a list of exposed and unsafe services  (Read 265 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Hello
On relatively fresh install of Almalinux 9 with CWP PRO
I ran this command

 systemd-analyze security

and got the following list of services, many are marked as "usafe" and "exposed":

UNIT                                 EXPOSURE PREDICATE HAPPY
NetworkManager.service                    7.8 EXPOSED   🙁
amavisd.service                           6.9 MEDIUM    😐
atd.service                               9.6 UNSAFE    😨
auditd.service                            8.9 EXPOSED   🙁
cbpolicyd.service                         9.6 UNSAFE    😨
chronyd.service                           3.9 OK        🙂
clamav-freshclam.service                  9.6 UNSAFE    😨
clamd.service                             9.6 UNSAFE    😨
crond.service                             9.6 UNSAFE    😨
cwp-phpfpm.service                        9.6 UNSAFE    😨
cwpsrv-phpfpm.service                     9.6 UNSAFE    😨
cwpsrv.service                            9.2 UNSAFE    😨
dbus-broker.service                       8.7 EXPOSED   🙁
dovecot.service                           8.5 EXPOSED   🙁
emergency.service                         9.5 UNSAFE    😨
getty@tty1.service                        9.6 UNSAFE    😨
httpd.service                             9.6 UNSAFE    😨
irqbalance.service                        8.9 EXPOSED   🙁
lfd.service                               9.6 UNSAFE    😨
low-memory-monitor.service                6.3 MEDIUM    😐
maldet.service                            9.6 UNSAFE    😨
mariadb.service                           8.8 EXPOSED   🙁
mlocate-updatedb.service                  8.1 EXPOSED   🙁
monit.service                             9.6 UNSAFE    😨
named.service                             9.2 UNSAFE    😨
nginx.service                             9.6 UNSAFE    😨
opendkim.service                          9.2 UNSAFE    😨
php-fpm74.service                         6.5 MEDIUM    😐
php-fpm80.service                         6.5 MEDIUM    😐
php-fpm80.service                         6.5 MEDIUM    😐
php-fpm81.service                         6.5 MEDIUM    😐
php-fpm82.service                         6.5 MEDIUM    😐
php-fpm83.service                         6.5 MEDIUM    😐
postfix.service                           7.9 EXPOSED   🙁
pure-ftpd.service                         9.6 UNSAFE    😨
rc-local.service                          9.6 UNSAFE    😨
rescue.service                            9.5 UNSAFE    😨
rsyslog.service                           5.8 MEDIUM    😐
rtkit-daemon.service                      7.1 MEDIUM    😐
sa-update.service                         9.6 UNSAFE    😨
spamassassin.service                      9.6 UNSAFE    😨
sshd.service                              9.6 UNSAFE    😨
sssd-kcm.service                          7.7 EXPOSED   🙁
sssd.service                              8.3 EXPOSED   🙁
systemd-ask-password-console.service      9.4 UNSAFE    😨
systemd-ask-password-wall.service         9.4 UNSAFE    😨
systemd-initctl.service                   9.4 UNSAFE    😨
systemd-journald.service                  4.3 OK        🙂
systemd-logind.service                    2.8 OK        🙂
systemd-rfkill.service                    9.4 UNSAFE    😨
systemd-udevd.service                     6.9 MEDIUM    😐
upower.service                            2.4 OK        🙂
user@0.service                            9.8 UNSAFE    😨

Not being expert I am wondering whether these are really serious problems or not and what can be done to fix the serious ones eventually.
What seems strange to me is that many of the services that are marked as unsafe are the very main services needed, e.g. nginx, lfd, postfix, cwpsrv-phpfpm.service.... and so on.

Does anyone know something about this?
Thank you in advance for info and hints.

Offline
*****
Re: systemd-analyze security returns a list of exposed and unsafe services
« Reply #1 on: September 30, 2024, 04:38:40 AM »
I would take those results with a healthy grain of salt. A lot of that "exposure" would simply mean it's accessible via the internet -- which is what you want for a public-facing server. Other results, such as for php-fpm74 which EOL are probably actually understated -- it should be replaced by php-fpm81 wherever possible. Here's a good primer from the mother ship:
https://www.redhat.com/sysadmin/systemd-secure-services

But yes, you should take active measures to harden your system after install:
https://www.awsmonster.com/cwp-installation-and-configuration_12
https://www.awsmonster.com/2019/09/how-to-secureharden-cwp-nginx-server.html