A user on Ask Fedora was wondering about the results of the `lynis audit
system` command. This is a pretty nifty tool, really, with a lot of
hardening information -- but also, easy to misinterpret.
In particular, it runs `systemd-analyze security`, which reports a lot of
services as UNSAFE (in red, with a panic emoji even!) or EXPOSED (yellow,
sad face).
That reminds me of https://pagure.io/fesco/issue/1663 from four years ago or
so, which led to https://docs.fedoraproject.org/en-US/packaging-guidelines/Systemd/#private
But maybe that's not as strong as it should be? On my current desktop
system, only services that are part of systemd itself and upower are marked
as "OK" (green, smiley). A few others (rtkit) make it up to "MEDIUM" (gray,
meh).
What do security folks here think? Would it be worthwhile to have an active
initiative to move more of these services closer to happy emoji symbols?
Is anyone interested in taking that on?
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader