Author Topic: systemd-analyze security returns a list of exposed and unsafe services (Read 159 times)

David · « **on:** September 30, 2024, 03:12:26 AM »

Hello
On relatively fresh install of Almalinux 9 with CWP PRO
I ran this command

systemd-analyze security

and got the following list of services, many are marked as "usafe" and "exposed":

UNIT EXPOSURE PREDICATE HAPPY
NetworkManager.service 7.8 EXPOSED 🙁
amavisd.service 6.9 MEDIUM 😐
atd.service 9.6 UNSAFE 😨
auditd.service 8.9 EXPOSED 🙁
cbpolicyd.service 9.6 UNSAFE 😨
chronyd.service 3.9 OK 🙂
clamav-freshclam.service 9.6 UNSAFE 😨
clamd.service 9.6 UNSAFE 😨
crond.service 9.6 UNSAFE 😨
cwp-phpfpm.service 9.6 UNSAFE 😨
cwpsrv-phpfpm.service 9.6 UNSAFE 😨
cwpsrv.service 9.2 UNSAFE 😨
dbus-broker.service 8.7 EXPOSED 🙁
dovecot.service 8.5 EXPOSED 🙁
emergency.service 9.5 UNSAFE 😨
getty@tty1.service 9.6 UNSAFE 😨
httpd.service 9.6 UNSAFE 😨
irqbalance.service 8.9 EXPOSED 🙁
lfd.service 9.6 UNSAFE 😨
low-memory-monitor.service 6.3 MEDIUM 😐
maldet.service 9.6 UNSAFE 😨
mariadb.service 8.8 EXPOSED 🙁
mlocate-updatedb.service 8.1 EXPOSED 🙁
monit.service 9.6 UNSAFE 😨
named.service 9.2 UNSAFE 😨
nginx.service 9.6 UNSAFE 😨
opendkim.service 9.2 UNSAFE 😨
php-fpm74.service 6.5 MEDIUM 😐
php-fpm80.service 6.5 MEDIUM 😐
php-fpm80.service 6.5 MEDIUM 😐
php-fpm81.service 6.5 MEDIUM 😐
php-fpm82.service 6.5 MEDIUM 😐
php-fpm83.service 6.5 MEDIUM 😐
postfix.service 7.9 EXPOSED 🙁
pure-ftpd.service 9.6 UNSAFE 😨
rc-local.service 9.6 UNSAFE 😨
rescue.service 9.5 UNSAFE 😨
rsyslog.service 5.8 MEDIUM 😐
rtkit-daemon.service 7.1 MEDIUM 😐
sa-update.service 9.6 UNSAFE 😨
spamassassin.service 9.6 UNSAFE 😨
sshd.service 9.6 UNSAFE 😨
sssd-kcm.service 7.7 EXPOSED 🙁
sssd.service 8.3 EXPOSED 🙁
systemd-ask-password-console.service 9.4 UNSAFE 😨
systemd-ask-password-wall.service 9.4 UNSAFE 😨
systemd-initctl.service 9.4 UNSAFE 😨
systemd-journald.service 4.3 OK 🙂
systemd-logind.service 2.8 OK 🙂
systemd-rfkill.service 9.4 UNSAFE 😨
systemd-udevd.service 6.9 MEDIUM 😐
upower.service 2.4 OK 🙂
user@0.service 9.8 UNSAFE 😨

Not being expert I am wondering whether these are really serious problems or not and what can be done to fix the serious ones eventually.
What seems strange to me is that many of the services that are marked as unsafe are the very main services needed, e.g. nginx, lfd, postfix, cwpsrv-phpfpm.service.... and so on.

Does anyone know something about this?
Thank you in advance for info and hints.

overseer · « **Reply #1 on:** September 30, 2024, 04:38:40 AM »

I would take those results with a healthy grain of salt. A lot of that "exposure" would simply mean it's accessible via the internet -- which is what you want for a public-facing server. Other results, such as for php-fpm74 which EOL are probably actually understated -- it should be replaced by php-fpm81 wherever possible. Here's a good primer from the mother ship:
https://www.redhat.com/sysadmin/systemd-secure-services

But yes, you should take active measures to harden your system after install:
https://www.awsmonster.com/cwp-installation-and-configuration_12
https://www.awsmonster.com/2019/09/how-to-secureharden-cwp-nginx-server.html

Control Web Panel

Author Topic: systemd-analyze security returns a list of exposed and unsafe services (Read 159 times)

systemd-analyze security returns a list of exposed and unsafe services

Re: systemd-analyze security returns a list of exposed and unsafe services