{"id":13501580,"url":"https://github.com/priv-kweihmann/systemdlint","last_synced_at":"2025-04-07T17:08:30.572Z","repository":{"id":57472986,"uuid":"182244386","full_name":"priv-kweihmann/systemdlint","owner":"priv-kweihmann","description":"Systemd Linter","archived":false,"fork":false,"pushed_at":"2024-10-24T12:28:38.000Z","size":2200,"stargazers_count":32,"open_issues_count":9,"forks_count":7,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-10-25T07:29:04.462Z","etag":null,"topics":["qatools","static-code-analysis","systemd"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/priv-kweihmann.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-04-19T10:01:24.000Z","updated_at":"2024-10-24T12:26:09.000Z","dependencies_parsed_at":"2024-10-24T17:28:29.956Z","dependency_job_id":null,"html_url":"https://github.com/priv-kweihmann/systemdlint","commit_stats":{"total_commits":102,"total_committers":2,"mean_commits":51.0,"dds":0.02941176470588236,"last_synced_commit":"d9909d2e2d970599bb2015e2a667d4debf063384"},"previous_names":[],"tags_count":28,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/priv-kweihmann%2Fsystemdlint","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/priv-kweihmann%2Fsystemdlint/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/priv-kweihmann%2Fsystemdlint/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/priv-kweihmann%2Fsystemdlint/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/priv-kweihmann","download_url":"https://codeload.github.com/priv-kweihmann/systemdlint/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247694876,"owners_count":20980733,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["qatools","static-code-analysis","systemd"],"created_at":"2024-07-31T22:01:42.274Z","updated_at":"2025-04-07T17:08:28.734Z","avatar_url":"https://github.com/priv-kweihmann.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# systemdlint\n\n![Build status](https://github.com/priv-kweihmann/systemdlint/workflows/Build/badge.svg)\n[![PyPI version](https://badge.fury.io/py/systemdlint.svg)](https://badge.fury.io/py/systemdlint)\n[![Python version](https://img.shields.io/pypi/pyversions/systemdlint)](https://img.shields.io/pypi/pyversions/systemdlint)\n[![Downloads](https://img.shields.io/pypi/dm/systemdlint)](https://img.shields.io/pypi/dm/systemdlint)\n\nSystemd Unitfile Linter\n\n## Usage\n\n```sh\nusage: systemdlint [-h] [--nodropins] [--rootpath ROOTPATH] [--sversion SVERSION] [--output OUTPUT] [--norootfs] files [files ...]\n\nSystemd Unitfile Linter\n\npositional arguments:\n  files                Files to parse\n\noptional arguments:\n  -h, --help           show this help message and exit\n  --nodropins          Ignore Drop-Ins for parsing\n  --rootpath ROOTPATH  Root path\n  --sversion SVERSION  Version of Systemd to be used\n  --output OUTPUT      Where to flush the findings (default: stderr)\n  --norootfs           Run only unit file related tests\n```\n\n## Why should I use it?\n\nSurely you can use `systemd-analyze verify [unitname]` to validate your units - no problem and it's\nthe recommended way if you writing units for the system you are currently running on.\nUnfortunately systemd doesn't offer a validation which doesn't require an already running version of\nsystemd you want to validate against.\n\nThis tool was initially created to check units in cross-compiled embedded images at build time,\nwhere you can't run a copy of systemd (as it's cross-compiled).\nAs a consequence it doesn't use any systemd code and might interpret some settings differently than\nsystemd itself - as with every linter take the outcomes as a basis for further analysis.\nAlso keep in mind, that systemd does create a larger stack of runtime files, which are not\ntaken into account by the tool - same for kernel related information like /dev, /sys or /proc\nentries.\n\nFurthermore the tool gives you advice how your unit files could be hardened.\n\n## Installation\n\n### PyPi\n\nsimply run\n\n```sh\npip3 install systemdlint\n```\n\n### From source\n\n* Install the needed requirements by running ```pip3 install systemdunitparser anytree```\n* git clone this repository\n* cd to \\\u003cclone folder\\\u003e/systemdlint\n* run ```sudo ./build.sh```\n\n## Output\n\nThe tool will return\n\n```sh\n{file}:{line}:{severity} [{id}] - {message}\n```\n\nexample:\n\n```sh\n/lib/systemd/system/console-shell.service:18:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported\n/lib/systemd/system/plymouth-halt.service:11:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported\n/lib/systemd/system/systemd-ask-password-console.service:12:warning [ReferencedUnitNotFound] - The Unit 'systemd-vconsole-setup.service' referenced was not found in filesystem\n/lib/systemd/system/basic.target:19:warning [ReferencedUnitNotFound] - The Unit 'tmp.mount' referenced was not found in filesystem\n```\n\nThe output format is configurable with `--messageformat`, for example:\n\n```sh\nsystemdlint --messageformat='{path}:{line}:{severity}:{msg}' ...\n```\n\n## Detectable Errors\n\n* ConflictingOptions - The set option somehow is in conflict with another unit\n* ErrorCyclicDependency - Unit creates a cyclic dependency\n* ExecNotFound - The referenced executable was not found on system\n* FullPrivileges - An executable is run with full privileges\n* InvalidNumericBase - A numeric value doesn't match because it needs to be a multiple of X\n* InvalidSetting - The option doesn't match the section\n* InvalidValue - An invalid value is set\n* MandatoryOptionMissing - A mandatory option was missing in the file\n* Multiplicity - The option is not valid for the given amount of options in this context\n* NoExecutable - The referenced executable is NOT executable\n* NoFailureCheck - An executable is run without checking for failures\n* OptionDeprecated - The used option is not available anymore in this version\n* OptionTooNew - The used option will be available in a later version than used\n* ReferencedUnitNotFound - The unit referenced was not found in system\n* Security.@clock - SystemCallFilter shouldn't contain @clock \n* Security.@cpu-emulation - SystemCallFilter shouldn't contain @cpu-emulation \n* Security.@debug - SystemCallFilter shouldn't contain @debug \n* Security.@module - SystemCallFilter shouldn't contain @module \n* Security.@mount - SystemCallFilter shouldn't contain @mount \n* Security.@obsolete - SystemCallFilter shouldn't contain @obsolete\n* Security.@privileged - SystemCallFilter shouldn't contain @privileged \n* Security.@raw-io - SystemCallFilter shouldn't contain @raw-io \n* Security.@reboot - SystemCallFilter shouldn't contain @reboot \n* Security.@resources - SystemCallFilter shouldn't contain @resources \n* Security.@swap - SystemCallFilter shouldn't contain @swap\n* Security.AF_INET - RestrictAddressFamilies shouldn't contain AF_INET \n* Security.AF_INET6 - RestrictAddressFamilies shouldn't contain AF_INET6 \n* Security.AF_NETLINK - RestrictAddressFamilies shouldn't contain AF_NETLINK \n* Security.AF_PACKET - RestrictAddressFamilies shouldn't contain AF_PACKET \n* Security.AF_UNIX - RestrictAddressFamilies shouldn't contain AF_UNIX\n* Security.CAP_AUDIT_CONTROL - CapabilityBoundingSet shouldn't contain CAP_AUDIT_CONTROL \n* Security.CAP_AUDIT_READ - CapabilityBoundingSet shouldn't contain CAP_AUDIT_READ \n* Security.CAP_AUDIT_WRITE - CapabilityBoundingSet shouldn't contain CAP_AUDIT_WRITE \n* Security.CAP_BLOCK_SUSPEND - CapabilityBoundingSet shouldn't contain CAP_BLOCK_SUSPEND\n* Security.CAP_CHOWN - CapabilityBoundingSet shouldn't contain CAP_CHOWN \n* Security.CAP_DAC_OVERRIDE - CapabilityBoundingSet shouldn't contain CAP_DAC_OVERRIDE \n* Security.CAP_DAC_READ_SEARCH - CapabilityBoundingSet shouldn't contain CAP_DAC_READ_SEARCH \n* Security.CAP_FOWNER - CapabilityBoundingSet shouldn't contain CAP_FOWNER\n* Security.CAP_FSETID - CapabilityBoundingSet shouldn't contain CAP_FSETID \n* Security.CAP_IPC_LOCK - CapabilityBoundingSet shouldn't contain CAP_IPC_LOCK \n* Security.CAP_IPC_OWNER - CapabilityBoundingSet shouldn't contain CAP_IPC_OWNER \n* Security.CAP_KILL - CapabilityBoundingSet shouldn't contain CAP_KILL \n* Security.CAP_LEASE - CapabilityBoundingSet shouldn't contain CAP_LEASE\n* Security.CAP_LINUX_IMMUTABLE - CapabilityBoundingSet shouldn't contain CAP_LINUX_IMMUTABLE \n* Security.CAP_MAC_ADMIN - CapabilityBoundingSet shouldn't contain CAP_MAC_ADMIN \n* Security.CAP_MAC_OVERRIDE - CapabilityBoundingSet shouldn't contain CAP_MAC_OVERRIDE \n* Security.CAP_MKNOD - CapabilityBoundingSet shouldn't contain CAP_MKNOD\n* Security.CAP_NET_ADMIN - CapabilityBoundingSet shouldn't contain CAP_NET_ADMIN \n* Security.CAP_NET_BIND_SERVICE - CapabilityBoundingSet shouldn't contain CAP_NET_BIND_SERVICE \n* Security.CAP_NET_BROADCAST - CapabilityBoundingSet shouldn't contain CAP_NET_BROADCAST \n* Security.CAP_NET_RAW - CapabilityBoundingSet shouldn't contain CAP_NET_RAW\n* Security.CAP_RAWIO - CapabilityBoundingSet shouldn't contain CAP_RAWIO \n* Security.CAP_SETFCAP - CapabilityBoundingSet shouldn't contain CAP_SETFCAP \n* Security.CAP_SETGID - CapabilityBoundingSet shouldn't contain CAP_SETGID \n* Security.CAP_SETPCAP - CapabilityBoundingSet shouldn't contain CAP_SETPCAP \n* Security.CAP_SETUID - CapabilityBoundingSet shouldn't contain CAP_SETUID\n* Security.CAP_SYS_ADMIN - CapabilityBoundingSet shouldn't contain CAP_SYS_ADMIN \n* Security.CAP_SYS_BOOT - CapabilityBoundingSet shouldn't contain CAP_SYS_BOOT \n* Security.CAP_SYS_CHROOT - CapabilityBoundingSet shouldn't contain CAP_SYS_CHROOT \n* Security.CAP_SYS_MODULE - CapabilityBoundingSet shouldn't contain CAP_SYS_MODULE\n* Security.CAP_SYS_NICE - CapabilityBoundingSet shouldn't contain CAP_SYS_NICE \n* Security.CAP_SYS_PACCT - CapabilityBoundingSet shouldn't contain CAP_SYS_PACCT \n* Security.CAP_SYS_PTRACE - CapabilityBoundingSet shouldn't contain CAP_SYS_PTRACE \n* Security.CAP_SYS_RESOURCE - CapabilityBoundingSet shouldn't contain CAP_SYS_RESOURCE\n* Security.CAP_SYS_TIME - CapabilityBoundingSet shouldn't contain CAP_SYS_TIME \n* Security.CAP_SYS_TTY_CONFIG - CapabilityBoundingSet shouldn't contain CAP_SYS_TTY_CONFIG \n* Security.CAP_SYSLOG - CapabilityBoundingSet shouldn't contain CAP_SYSLOG \n* Security.CAP_WAKE_ALARM - CapabilityBoundingSet shouldn't contain CAP_WAKE_ALARM\n* Security.CLONE_NEWCGROUP - RestrictNamespaces shouldn't contain CLONE_NEWCGROUP \n* Security.CLONE_NEWIPC - RestrictNamespaces shouldn't contain CLONE_NEWIPC \n* Security.CLONE_NEWNET - RestrictNamespaces shouldn't contain CLONE_NEWNET \n* Security.CLONE_NEWNS - RestrictNamespaces shouldn't contain CLONE_NEWNS\n* Security.CLONE_NEWPID - RestrictNamespaces shouldn't contain CLONE_NEWPID \n* Security.CLONE_NEWUSER - RestrictNamespaces shouldn't contain CLONE_NEWUSER \n* Security.CLONE_NEWUTS - RestrictNamespaces shouldn't contain CLONE_NEWUTS\n* Security.Delegate - Delegate shall be set to yes \n* Security.DevicePolicy - DevicePolicy should be set to closed\n* Security.IPAddressDenyNA - IPAddressDeny shall be set\n* Security.KeyringModeNA - KeyringMode shall be set\n* Security.KeyringModeNPriv - KeyringMode shall be set to private\n* Security.LockPersonality - LockPersonality shall be set to yes \n* Security.MemoryDenyWriteExecute - MemoryDenyWriteExecute shall be set to yes \n* Security.NoNewPrivileges - NoNewPrivileges shall be set to yes\n* Security.NotifyAccess - NotifyAccess=all should be avoided\n* Security.NoUser - No user is set for the service\n* Security.PrivateDevices - PrivateDevices shall be set to yes \n* Security.PrivateMounts - PrivateMounts shall be set to yes \n* Security.PrivateNetwork - PrivateNetwork shall be set to yes \n* Security.PrivateTmp - PrivateTmp shall be set to yes\n* Security.PrivateUsers - PrivateUsers shall be set to yes \n* Security.ProtectClock - ProtectClock shall be set to yes \n* Security.ProtectControlGroups - ProtectControlGroups shall be set to yes \n* Security.ProtectHomeNA - ProtectHome shall be set\n* Security.ProtectHomeOff - ProtectHome shall be set to yes\n* Security.ProtectHostname - ProtectHostname shall be set to yes\n* Security.ProtectKernelLogs - ProtectKernelLogs shall be set to yes \n* Security.ProtectKernelModules - ProtectKernelModules shall be set to yes \n* Security.ProtectKernelTunables - ProtectKernelTunables shall be set to yes\n* Security.ProtectSystemNA - ProtectSystem shall be set\n* Security.ProtectSystemNStrict - ProtectSystem shall be set to strict\n* Security.RemoveIPC - RemoveIPC should be activated\n* Security.RestrictRealtime - RestrictRealtime shall be set to yes \n* Security.RestrictSUIDSGID - RestrictSUIDSGID shall be set to yes\n* Security.RootDirectory - RootDirectory or RootImage shall be set to a non-root path\n* Security.SupplementaryGroups - SupplementaryGroups shall be avoided\n* Security.SystemCallArchitecturesMult - SystemCallArchitectures shouldn't be set for multiple archs\n* Security.SystemCallArchitecturesNA - SystemCallArchitectures shall be set\n* Security.UMaskGR - Files created by service are group-readbale\n* Security.UMaskGW - Files created by service are group-writeable\n* Security.UMaskOR - Files created by service are world-readbale\n* Security.UMaskOW - Files created by service are world-writeable\n* Security.UserNobody - User nobody is set for the service\n* Security.UserRoot - User root is set for the service\n* SettingRequires - The option requires another option to be set\n* SettingRestricted - The option can't be set due to another option\n* SyntaxError - The file is not parsable\n* UnitSectionMissing - The Unit-section is missing in the file\n* UnknownUnitType - The file extension of the file is not a known systemd one\n* WrongFileMask - The file has a risky filemode set\n\n## vscode extension\n\nFind the extension in the [marketplace](https://marketplace.visualstudio.com/items?itemName=kweihmann.systemdlint-vscode), or search for `systemdlint-vscode`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpriv-kweihmann%2Fsystemdlint","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpriv-kweihmann%2Fsystemdlint","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpriv-kweihmann%2Fsystemdlint/lists"}