GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → priv-kweihmann → systemdlint

priv-kweihmann / systemdlint

Licence: BSD-2-Clause license
Systemd Linter

Programming Languages

python
139335 projects - #7 most used programming language

Labels

static-code-analysissystemdqatools

Projects that are alternatives of or similar to systemdlint

gnome-shell-extension-sermon
A GNOME Shell extension for monitoring and managing systemd services, cron jobs, docker and poman containers
Stars: ✭ 27 (+68.75%)
Mutual labels:  systemd
wsl-systemd
A script that spawns a namespace with systemd as PID1, and allows you to spawn interactive sessions or exec commands inside it
Stars: ✭ 37 (+131.25%)
Mutual labels:  systemd
deploy
No description or website provided.
Stars: ✭ 23 (+43.75%)
Mutual labels:  systemd
lints
Lint all your JavaScript, CSS, HTML, Markdown and Dockerfiles with a single command
Stars: ✭ 14 (-12.5%)
Mutual labels:  static-code-analysis
system-76-keyboards
Rainbow / CPU monitor for system76 colored keyboards
Stars: ✭ 37 (+131.25%)
Mutual labels:  systemd
InitKit
Neo-InitWare is a modular, cross-platform reimplementation of the systemd init system. It is experimental.
Stars: ✭ 364 (+2175%)
Mutual labels:  systemd
parca
Continuous profiling for analysis of CPU and memory usage, down to the line number and throughout time. Saving infrastructure cost, improving performance, and increasing reliability.
Stars: ✭ 2,834 (+17612.5%)
Mutual labels:  systemd
sysdweb
Control systemd services through Web or REST API
Stars: ✭ 65 (+306.25%)
Mutual labels:  systemd
dppm
An easy way to install and manage server applications
Stars: ✭ 107 (+568.75%)
Mutual labels:  systemd
eclipse-pmd
eclipse-pmd has been moved to
Stars: ✭ 20 (+25%)
Mutual labels:  static-code-analysis
fiasko bro
Yet another static python code validator
Stars: ✭ 27 (+68.75%)
Mutual labels:  static-code-analysis
lua-systemd
Systemd bindings for Lua
Stars: ✭ 33 (+106.25%)
Mutual labels:  systemd
sonar-coldfusion
SonarQube ColdFusion Analyzer
Stars: ✭ 25 (+56.25%)
Mutual labels:  static-code-analysis
InitWare
The InitWare Suite of Middleware allows you to manage services and system resources as logical entities called units. Its main component is a service management ("init") system.
Stars: ✭ 164 (+925%)
Mutual labels:  systemd
cya
Easy to use snapshot and restore utility for any Linux (Unix) OS and filesystem powered by BASH
Stars: ✭ 73 (+356.25%)
Mutual labels:  systemd
MirrorCache
Download Redirector
Stars: ✭ 24 (+50%)
Mutual labels:  systemd
parca-agent
eBPF based always-on profiler auto-discovering targets in Kubernetes and systemd, zero code changes or restarts needed!
Stars: ✭ 250 (+1462.5%)
Mutual labels:  systemd
FastLint-Issues
FastLint finds & fixes bugs in your commits
Stars: ✭ 123 (+668.75%)
Mutual labels:  static-code-analysis
test junkie
Highly configurable testing framework for Python
Stars: ✭ 72 (+350%)
Mutual labels:  qatools
mailhandler
Simple lightweight mail library which allows you to send and retrieve emails, and get more details about email sending and delivery
Stars: ✭ 49 (+206.25%)
Mutual labels:  qatools
View All Similar Projects ➔

systemdlint

Build status PyPI version Python version Downloads Language grade: Python

Systemd Unitfile Linter

Usage

usage: systemdlint [-h] [--nodropins] [--rootpath ROOTPATH] [--sversion SVERSION] [--output OUTPUT] [--norootfs] files [files ...]

Systemd Unitfile Linter

positional arguments:
  files                Files to parse

optional arguments:
  -h, --help           show this help message and exit
  --nodropins          Ignore Drop-Ins for parsing
  --rootpath ROOTPATH  Root path
  --sversion SVERSION  Version of Systemd to be used
  --output OUTPUT      Where to flush the findings (default: stderr)
  --norootfs           Run only unit file related tests

Why should I use it?

Surely you can use systemd-analyze verify [unitname] to validate your units - no problem and it's the recommended way if you writing units for the system you are currently running on. Unfortunately systemd doesn't offer a validation which doesn't require an already running version of systemd you want to validate against.

This tool was initially created to check units in cross-compiled embedded images at build time, where you can't run a copy of systemd (as it's cross-compiled). As a consequence it doesn't use any systemd code and might interpret some settings differently than systemd itself - as with every linter take the outcomes as a basis for further analysis. Also keep in mind, that systemd does create a larger stack of runtime files, which are not taken into account by the tool - same for kernel related information like /dev, /sys or /proc entries.

Furthermore the tool gives you advice how your unit files could be hardened.

Installation

PyPi

simply run

pip3 install systemdlint

From source

  • Install the needed requirements by running pip3 install systemdunitparser anytree
  • git clone this repository
  • cd to <clone folder>/systemdlint
  • run sudo ./build.sh

Output

The tool will return

{file}:{line}:{severity} [{id}] - {message}

example:

/lib/systemd/system/console-shell.service:18:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported
/lib/systemd/system/plymouth-halt.service:11:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported
/lib/systemd/system/systemd-ask-password-console.service:12:warning [ReferencedUnitNotFound] - The Unit 'systemd-vconsole-setup.service' referenced was not found in filesystem
/lib/systemd/system/basic.target:19:warning [ReferencedUnitNotFound] - The Unit 'tmp.mount' referenced was not found in filesystem

Detectable Errors

  • ConflictingOptions - The set option somehow is in conflict with another unit
  • ErrorCyclicDependency - Unit creates a cyclic dependency
  • ExecNotFound - The referenced executable was not found on system
  • FullPrivileges - An executable is run with full privileges
  • InvalidNumericBase - A numeric value doesn't match because it needs to be a multiple of X
  • InvalidSetting - The option doesn't match the section
  • InvalidValue - An invalid value is set
  • MandatoryOptionMissing - A mandatory option was missing in the file
  • Multiplicity - The option is not valid for the given amount of options in this context
  • NoExecutable - The referenced executable is NOT executable
  • NoFailureCheck - An executable is run without checking for failures
  • OptionDeprecated - The used option is not available anymore in this version
  • OptionTooNew - The used option will be available in a later version than used
  • ReferencedUnitNotFound - The unit referenced was not found in system
  • Security.@clock - SystemCallFilter shouldn't contain @clock
  • Security.@cpu-emulation - SystemCallFilter shouldn't contain @cpu-emulation
  • Security.@debug - SystemCallFilter shouldn't contain @debug
  • Security.@module - SystemCallFilter shouldn't contain @module
  • Security.@mount - SystemCallFilter shouldn't contain @mount
  • Security.@obsolete - SystemCallFilter shouldn't contain @obsolete
  • Security.@privileged - SystemCallFilter shouldn't contain @privileged
  • Security.@raw-io - SystemCallFilter shouldn't contain @raw-io
  • Security.@reboot - SystemCallFilter shouldn't contain @reboot
  • Security.@resources - SystemCallFilter shouldn't contain @resources
  • Security.@swap - SystemCallFilter shouldn't contain @swap
  • Security.AF_INET - RestrictAddressFamilies shouldn't contain AF_INET
  • Security.AF_INET6 - RestrictAddressFamilies shouldn't contain AF_INET6
  • Security.AF_NETLINK - RestrictAddressFamilies shouldn't contain AF_NETLINK
  • Security.AF_PACKET - RestrictAddressFamilies shouldn't contain AF_PACKET
  • Security.AF_UNIX - RestrictAddressFamilies shouldn't contain AF_UNIX
  • Security.CAP_AUDIT_CONTROL - CapabilityBoundingSet shouldn't contain CAP_AUDIT_CONTROL
  • Security.CAP_AUDIT_READ - CapabilityBoundingSet shouldn't contain CAP_AUDIT_READ
  • Security.CAP_AUDIT_WRITE - CapabilityBoundingSet shouldn't contain CAP_AUDIT_WRITE
  • Security.CAP_BLOCK_SUSPEND - CapabilityBoundingSet shouldn't contain CAP_BLOCK_SUSPEND
  • Security.CAP_CHOWN - CapabilityBoundingSet shouldn't contain CAP_CHOWN
  • Security.CAP_DAC_OVERRIDE - CapabilityBoundingSet shouldn't contain CAP_DAC_OVERRIDE
  • Security.CAP_DAC_READ_SEARCH - CapabilityBoundingSet shouldn't contain CAP_DAC_READ_SEARCH
  • Security.CAP_FOWNER - CapabilityBoundingSet shouldn't contain CAP_FOWNER
  • Security.CAP_FSETID - CapabilityBoundingSet shouldn't contain CAP_FSETID
  • Security.CAP_IPC_LOCK - CapabilityBoundingSet shouldn't contain CAP_IPC_LOCK
  • Security.CAP_IPC_OWNER - CapabilityBoundingSet shouldn't contain CAP_IPC_OWNER
  • Security.CAP_KILL - CapabilityBoundingSet shouldn't contain CAP_KILL
  • Security.CAP_LEASE - CapabilityBoundingSet shouldn't contain CAP_LEASE
  • Security.CAP_LINUX_IMMUTABLE - CapabilityBoundingSet shouldn't contain CAP_LINUX_IMMUTABLE
  • Security.CAP_MAC_ADMIN - CapabilityBoundingSet shouldn't contain CAP_MAC_ADMIN
  • Security.CAP_MAC_OVERRIDE - CapabilityBoundingSet shouldn't contain CAP_MAC_OVERRIDE
  • Security.CAP_MKNOD - CapabilityBoundingSet shouldn't contain CAP_MKNOD
  • Security.CAP_NET_ADMIN - CapabilityBoundingSet shouldn't contain CAP_NET_ADMIN
  • Security.CAP_NET_BIND_SERVICE - CapabilityBoundingSet shouldn't contain CAP_NET_BIND_SERVICE
  • Security.CAP_NET_BROADCAST - CapabilityBoundingSet shouldn't contain CAP_NET_BROADCAST
  • Security.CAP_NET_RAW - CapabilityBoundingSet shouldn't contain CAP_NET_RAW
  • Security.CAP_RAWIO - CapabilityBoundingSet shouldn't contain CAP_RAWIO
  • Security.CAP_SETFCAP - CapabilityBoundingSet shouldn't contain CAP_SETFCAP
  • Security.CAP_SETGID - CapabilityBoundingSet shouldn't contain CAP_SETGID
  • Security.CAP_SETPCAP - CapabilityBoundingSet shouldn't contain CAP_SETPCAP
  • Security.CAP_SETUID - CapabilityBoundingSet shouldn't contain CAP_SETUID
  • Security.CAP_SYS_ADMIN - CapabilityBoundingSet shouldn't contain CAP_SYS_ADMIN
  • Security.CAP_SYS_BOOT - CapabilityBoundingSet shouldn't contain CAP_SYS_BOOT
  • Security.CAP_SYS_CHROOT - CapabilityBoundingSet shouldn't contain CAP_SYS_CHROOT
  • Security.CAP_SYS_MODULE - CapabilityBoundingSet shouldn't contain CAP_SYS_MODULE
  • Security.CAP_SYS_NICE - CapabilityBoundingSet shouldn't contain CAP_SYS_NICE
  • Security.CAP_SYS_PACCT - CapabilityBoundingSet shouldn't contain CAP_SYS_PACCT
  • Security.CAP_SYS_PTRACE - CapabilityBoundingSet shouldn't contain CAP_SYS_PTRACE
  • Security.CAP_SYS_RESOURCE - CapabilityBoundingSet shouldn't contain CAP_SYS_RESOURCE
  • Security.CAP_SYS_TIME - CapabilityBoundingSet shouldn't contain CAP_SYS_TIME
  • Security.CAP_SYS_TTY_CONFIG - CapabilityBoundingSet shouldn't contain CAP_SYS_TTY_CONFIG
  • Security.CAP_SYSLOG - CapabilityBoundingSet shouldn't contain CAP_SYSLOG
  • Security.CAP_WAKE_ALARM - CapabilityBoundingSet shouldn't contain CAP_WAKE_ALARM
  • Security.CLONE_NEWCGROUP - RestrictNamespaces shouldn't contain CLONE_NEWCGROUP
  • Security.CLONE_NEWIPC - RestrictNamespaces shouldn't contain CLONE_NEWIPC
  • Security.CLONE_NEWNET - RestrictNamespaces shouldn't contain CLONE_NEWNET
  • Security.CLONE_NEWNS - RestrictNamespaces shouldn't contain CLONE_NEWNS
  • Security.CLONE_NEWPID - RestrictNamespaces shouldn't contain CLONE_NEWPID
  • Security.CLONE_NEWUSER - RestrictNamespaces shouldn't contain CLONE_NEWUSER
  • Security.CLONE_NEWUTS - RestrictNamespaces shouldn't contain CLONE_NEWUTS
  • Security.Delegate - Delegate shall be set to yes
  • Security.DevicePolicy - DevicePolicy should be set to closed
  • Security.IPAddressDenyNA - IPAddressDeny shall be set
  • Security.KeyringModeNA - KeyringMode shall be set
  • Security.KeyringModeNPriv - KeyringMode shall be set to private
  • Security.LockPersonality - LockPersonality shall be set to yes
  • Security.MemoryDenyWriteExecute - MemoryDenyWriteExecute shall be set to yes
  • Security.NoNewPrivileges - NoNewPrivileges shall be set to yes
  • Security.NotifyAccess - NotifyAccess=all should be avoided
  • Security.NoUser - No user is set for the service
  • Security.PrivateDevices - PrivateDevices shall be set to yes
  • Security.PrivateMounts - PrivateMounts shall be set to yes
  • Security.PrivateNetwork - PrivateNetwork shall be set to yes
  • Security.PrivateTmp - PrivateTmp shall be set to yes
  • Security.PrivateUsers - PrivateUsers shall be set to yes
  • Security.ProtectClock - ProtectClock shall be set to yes
  • Security.ProtectControlGroups - ProtectControlGroups shall be set to yes
  • Security.ProtectHomeNA - ProtectHome shall be set
  • Security.ProtectHomeOff - ProtectHome shall be set to yes
  • Security.ProtectHostname - ProtectHostname shall be set to yes
  • Security.ProtectKernelLogs - ProtectKernelLogs shall be set to yes
  • Security.ProtectKernelModules - ProtectKernelModules shall be set to yes
  • Security.ProtectKernelTunables - ProtectKernelTunables shall be set to yes
  • Security.ProtectSystemNA - ProtectSystem shall be set
  • Security.ProtectSystemNStrict - ProtectSystem shall be set to strict
  • Security.RemoveIPC - RemoveIPC should be activated
  • Security.RestrictRealtime - RestrictRealtime shall be set to yes
  • Security.RestrictSUIDSGID - RestrictSUIDSGID shall be set to yes
  • Security.RootDirectory - RootDirectory or RootImage shall be set to a non-root path
  • Security.SupplementaryGroups - SupplementaryGroups shall be avoided
  • Security.SystemCallArchitecturesMult - SystemCallArchitectures shouldn't be set for multiple archs
  • Security.SystemCallArchitecturesNA - SystemCallArchitectures shall be set
  • Security.UMaskGR - Files created by service are group-readbale
  • Security.UMaskGW - Files created by service are group-writeable
  • Security.UMaskOR - Files created by service are world-readbale
  • Security.UMaskOW - Files created by service are world-writeable
  • Security.UserNobody - User nobody is set for the service
  • Security.UserRoot - User root is set for the service
  • SettingRequires - The option requires another option to be set
  • SettingRestricted - The option can't be set due to another option
  • SyntaxError - The file is not parsable
  • UnitSectionMissing - The Unit-section is missing in the file
  • UnknownUnitType - The file extension of the file is not a known systemd one
  • WrongFileMask - The file has a risky filemode set

vscode extension

Find the extension in the marketplace, or search for systemdlint-vscode

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].