The command:
systemd-analyze security
shows many .service files on my computer with an exposure of 9+ and an ‘unsafe’ rating. Here’s an example from a Tumbleweed VM, installed in as ‘stock’ a configuration as possible:
$ systemd-analyze security
UNIT EXPOSURE PREDICATE HAPPY
ModemManager.service 5.8 MEDIUM ������
NetworkManager.service 8.0 EXPOSED ������
after-local.service 9.6 UNSAFE ������
alsa-state.service 9.6 UNSAFE ������
auditd.service 9.5 UNSAFE ������
avahi-daemon.service 9.6 UNSAFE ������
btrfs-balance.service 9.6 UNSAFE ������
btrfs-defrag.service 9.6 UNSAFE ������
btrfs-scrub.service 9.6 UNSAFE ������
btrfs-trim.service 9.6 UNSAFE ������
chronyd.service 8.9 EXPOSED ������
cron.service 9.6 UNSAFE ������
cups.service 9.6 UNSAFE ������
dbus.service 9.6 UNSAFE ������
display-manager.service 9.6 UNSAFE ������
dm-event.service 9.5 UNSAFE ������
emergency.service 9.5 UNSAFE ������
firewalld.service 9.6 UNSAFE ������
getty@tty1.service 9.6 UNSAFE ������
getty@tty7.service 9.6 UNSAFE ������
gpm.service 9.6 UNSAFE ������
haveged.service 6.7 MEDIUM ������
irqbalance.service 6.1 MEDIUM ������
mariadb.service 6.4 MEDIUM ������
mcelog.service 9.6 UNSAFE ������
nscd.service 9.6 UNSAFE ������
pcscd.service 9.6 UNSAFE ������
plymouth-start.service 9.5 UNSAFE ������
polkit.service 9.6 UNSAFE ������
postfix.service 9.6 UNSAFE ������
rc-local.service 9.6 UNSAFE ������
rescue.service 9.5 UNSAFE ������
rtkit-daemon.service 7.0 MEDIUM ������
serial-getty@hvc0.service 9.6 UNSAFE ������
serial-getty@ttyAMA0.service 9.6 UNSAFE ������
serial-getty@ttyS0.service 9.6 UNSAFE ������
serial-getty@ttyS1.service 9.6 UNSAFE ������
serial-getty@ttyS2.service 9.6 UNSAFE ������
smartd.service 9.6 UNSAFE ������
systemd-ask-password-console.service 9.3 UNSAFE ������
systemd-ask-password-plymouth.service 9.5 UNSAFE ������
systemd-initctl.service 9.3 UNSAFE ������
systemd-journald.service 4.2 OK ������
systemd-logind.service 2.8 OK ������
systemd-rfkill.service 9.3 UNSAFE ������
systemd-timesyncd.service 2.1 OK ������
systemd-udevd.service 6.7 MEDIUM ������
udisks2.service 9.6 UNSAFE ������
upower.service 2.3 OK ������
user@1000.service 9.4 UNSAFE ������
vboxadd-service.service 9.6 UNSAFE ������
vgauthd.service 9.6 UNSAFE ������
vmblock-fuse.service 9.6 UNSAFE ������
vmtoolsd.service 9.5 UNSAFE ������
Digging online turned up some guides for tweaking .service file configuration; however, one guide warned that the tweaks introduce restrictions never intended for the OS, and have to be thoroughly tested before being left in place.
Do any of you more experienced Linux users restrict service files in this way? Do you think the effort is worthwhile for a non-networked, standalone computer that surfs the web and little else? Is it worth the effort to sandbox some .service files, and not others?
Thanks in advance for your feedback. I’ll proceed if the effort is worthwhile, but thought I should ask first.