Systemd Unitfile Linter
usage: systemdlint [-h] [--nodropins] [--rootpath ROOTPATH] [--sversion SVERSION] [--output OUTPUT] [--norootfs] files [files ...]
Systemd Unitfile Linter
positional arguments:
files Files to parse
optional arguments:
-h, --help show this help message and exit
--nodropins Ignore Drop-Ins for parsing
--rootpath ROOTPATH Root path
--sversion SVERSION Version of Systemd to be used
--output OUTPUT Where to flush the findings (default: stderr)
--norootfs Run only unit file related tests
Surely you can use systemd-analyze verify [unitname]
to validate your units - no problem and it's
the recommended way if you writing units for the system you are currently running on.
Unfortunately systemd doesn't offer a validation which doesn't require an already running version of
systemd you want to validate against.
This tool was initially created to check units in cross-compiled embedded images at build time, where you can't run a copy of systemd (as it's cross-compiled). As a consequence it doesn't use any systemd code and might interpret some settings differently than systemd itself - as with every linter take the outcomes as a basis for further analysis. Also keep in mind, that systemd does create a larger stack of runtime files, which are not taken into account by the tool - same for kernel related information like /dev, /sys or /proc entries.
Furthermore the tool gives you advice how your unit files could be hardened.
simply run
pip3 install systemdlint
- Install the needed requirements by running
pip3 install systemdunitparser anytree
- git clone this repository
- cd to <clone folder>/systemdlint
- run
sudo ./build.sh
The tool will return
{file}:{line}:{severity} [{id}] - {message}
example:
/lib/systemd/system/console-shell.service:18:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported
/lib/systemd/system/plymouth-halt.service:11:info [NoFailureCheck] - Return-code check is disabled. Errors are not reported
/lib/systemd/system/systemd-ask-password-console.service:12:warning [ReferencedUnitNotFound] - The Unit 'systemd-vconsole-setup.service' referenced was not found in filesystem
/lib/systemd/system/basic.target:19:warning [ReferencedUnitNotFound] - The Unit 'tmp.mount' referenced was not found in filesystem
The output format is configurable with --messageformat
, for example:
systemdlint --messageformat='{path}:{line}:{severity}:{msg}' ...
- ConflictingOptions - The set option somehow is in conflict with another unit
- ErrorCyclicDependency - Unit creates a cyclic dependency
- ExecNotFound - The referenced executable was not found on system
- FullPrivileges - An executable is run with full privileges
- InvalidNumericBase - A numeric value doesn't match because it needs to be a multiple of X
- InvalidSetting - The option doesn't match the section
- InvalidValue - An invalid value is set
- MandatoryOptionMissing - A mandatory option was missing in the file
- Multiplicity - The option is not valid for the given amount of options in this context
- NoExecutable - The referenced executable is NOT executable
- NoFailureCheck - An executable is run without checking for failures
- OptionDeprecated - The used option is not available anymore in this version
- OptionTooNew - The used option will be available in a later version than used
- ReferencedUnitNotFound - The unit referenced was not found in system
- Security.@clock - SystemCallFilter shouldn't contain @clock
- Security.@cpu-emulation - SystemCallFilter shouldn't contain @cpu-emulation
- Security.@debug - SystemCallFilter shouldn't contain @debug
- Security.@module - SystemCallFilter shouldn't contain @module
- Security.@mount - SystemCallFilter shouldn't contain @mount
- Security.@obsolete - SystemCallFilter shouldn't contain @obsolete
- Security.@privileged - SystemCallFilter shouldn't contain @privileged
- Security.@raw-io - SystemCallFilter shouldn't contain @raw-io
- Security.@reboot - SystemCallFilter shouldn't contain @reboot
- Security.@resources - SystemCallFilter shouldn't contain @resources
- Security.@swap - SystemCallFilter shouldn't contain @swap
- Security.AF_INET - RestrictAddressFamilies shouldn't contain AF_INET
- Security.AF_INET6 - RestrictAddressFamilies shouldn't contain AF_INET6
- Security.AF_NETLINK - RestrictAddressFamilies shouldn't contain AF_NETLINK
- Security.AF_PACKET - RestrictAddressFamilies shouldn't contain AF_PACKET
- Security.AF_UNIX - RestrictAddressFamilies shouldn't contain AF_UNIX
- Security.CAP_AUDIT_CONTROL - CapabilityBoundingSet shouldn't contain CAP_AUDIT_CONTROL
- Security.CAP_AUDIT_READ - CapabilityBoundingSet shouldn't contain CAP_AUDIT_READ
- Security.CAP_AUDIT_WRITE - CapabilityBoundingSet shouldn't contain CAP_AUDIT_WRITE
- Security.CAP_BLOCK_SUSPEND - CapabilityBoundingSet shouldn't contain CAP_BLOCK_SUSPEND
- Security.CAP_CHOWN - CapabilityBoundingSet shouldn't contain CAP_CHOWN
- Security.CAP_DAC_OVERRIDE - CapabilityBoundingSet shouldn't contain CAP_DAC_OVERRIDE
- Security.CAP_DAC_READ_SEARCH - CapabilityBoundingSet shouldn't contain CAP_DAC_READ_SEARCH
- Security.CAP_FOWNER - CapabilityBoundingSet shouldn't contain CAP_FOWNER
- Security.CAP_FSETID - CapabilityBoundingSet shouldn't contain CAP_FSETID
- Security.CAP_IPC_LOCK - CapabilityBoundingSet shouldn't contain CAP_IPC_LOCK
- Security.CAP_IPC_OWNER - CapabilityBoundingSet shouldn't contain CAP_IPC_OWNER
- Security.CAP_KILL - CapabilityBoundingSet shouldn't contain CAP_KILL
- Security.CAP_LEASE - CapabilityBoundingSet shouldn't contain CAP_LEASE
- Security.CAP_LINUX_IMMUTABLE - CapabilityBoundingSet shouldn't contain CAP_LINUX_IMMUTABLE
- Security.CAP_MAC_ADMIN - CapabilityBoundingSet shouldn't contain CAP_MAC_ADMIN
- Security.CAP_MAC_OVERRIDE - CapabilityBoundingSet shouldn't contain CAP_MAC_OVERRIDE
- Security.CAP_MKNOD - CapabilityBoundingSet shouldn't contain CAP_MKNOD
- Security.CAP_NET_ADMIN - CapabilityBoundingSet shouldn't contain CAP_NET_ADMIN
- Security.CAP_NET_BIND_SERVICE - CapabilityBoundingSet shouldn't contain CAP_NET_BIND_SERVICE
- Security.CAP_NET_BROADCAST - CapabilityBoundingSet shouldn't contain CAP_NET_BROADCAST
- Security.CAP_NET_RAW - CapabilityBoundingSet shouldn't contain CAP_NET_RAW
- Security.CAP_RAWIO - CapabilityBoundingSet shouldn't contain CAP_RAWIO
- Security.CAP_SETFCAP - CapabilityBoundingSet shouldn't contain CAP_SETFCAP
- Security.CAP_SETGID - CapabilityBoundingSet shouldn't contain CAP_SETGID
- Security.CAP_SETPCAP - CapabilityBoundingSet shouldn't contain CAP_SETPCAP
- Security.CAP_SETUID - CapabilityBoundingSet shouldn't contain CAP_SETUID
- Security.CAP_SYS_ADMIN - CapabilityBoundingSet shouldn't contain CAP_SYS_ADMIN
- Security.CAP_SYS_BOOT - CapabilityBoundingSet shouldn't contain CAP_SYS_BOOT
- Security.CAP_SYS_CHROOT - CapabilityBoundingSet shouldn't contain CAP_SYS_CHROOT
- Security.CAP_SYS_MODULE - CapabilityBoundingSet shouldn't contain CAP_SYS_MODULE
- Security.CAP_SYS_NICE - CapabilityBoundingSet shouldn't contain CAP_SYS_NICE
- Security.CAP_SYS_PACCT - CapabilityBoundingSet shouldn't contain CAP_SYS_PACCT
- Security.CAP_SYS_PTRACE - CapabilityBoundingSet shouldn't contain CAP_SYS_PTRACE
- Security.CAP_SYS_RESOURCE - CapabilityBoundingSet shouldn't contain CAP_SYS_RESOURCE
- Security.CAP_SYS_TIME - CapabilityBoundingSet shouldn't contain CAP_SYS_TIME
- Security.CAP_SYS_TTY_CONFIG - CapabilityBoundingSet shouldn't contain CAP_SYS_TTY_CONFIG
- Security.CAP_SYSLOG - CapabilityBoundingSet shouldn't contain CAP_SYSLOG
- Security.CAP_WAKE_ALARM - CapabilityBoundingSet shouldn't contain CAP_WAKE_ALARM
- Security.CLONE_NEWCGROUP - RestrictNamespaces shouldn't contain CLONE_NEWCGROUP
- Security.CLONE_NEWIPC - RestrictNamespaces shouldn't contain CLONE_NEWIPC
- Security.CLONE_NEWNET - RestrictNamespaces shouldn't contain CLONE_NEWNET
- Security.CLONE_NEWNS - RestrictNamespaces shouldn't contain CLONE_NEWNS
- Security.CLONE_NEWPID - RestrictNamespaces shouldn't contain CLONE_NEWPID
- Security.CLONE_NEWUSER - RestrictNamespaces shouldn't contain CLONE_NEWUSER
- Security.CLONE_NEWUTS - RestrictNamespaces shouldn't contain CLONE_NEWUTS
- Security.Delegate - Delegate shall be set to yes
- Security.DevicePolicy - DevicePolicy should be set to closed
- Security.IPAddressDenyNA - IPAddressDeny shall be set
- Security.KeyringModeNA - KeyringMode shall be set
- Security.KeyringModeNPriv - KeyringMode shall be set to private
- Security.LockPersonality - LockPersonality shall be set to yes
- Security.MemoryDenyWriteExecute - MemoryDenyWriteExecute shall be set to yes
- Security.NoNewPrivileges - NoNewPrivileges shall be set to yes
- Security.NotifyAccess - NotifyAccess=all should be avoided
- Security.NoUser - No user is set for the service
- Security.PrivateDevices - PrivateDevices shall be set to yes
- Security.PrivateMounts - PrivateMounts shall be set to yes
- Security.PrivateNetwork - PrivateNetwork shall be set to yes
- Security.PrivateTmp - PrivateTmp shall be set to yes
- Security.PrivateUsers - PrivateUsers shall be set to yes
- Security.ProtectClock - ProtectClock shall be set to yes
- Security.ProtectControlGroups - ProtectControlGroups shall be set to yes
- Security.ProtectHomeNA - ProtectHome shall be set
- Security.ProtectHomeOff - ProtectHome shall be set to yes
- Security.ProtectHostname - ProtectHostname shall be set to yes
- Security.ProtectKernelLogs - ProtectKernelLogs shall be set to yes
- Security.ProtectKernelModules - ProtectKernelModules shall be set to yes
- Security.ProtectKernelTunables - ProtectKernelTunables shall be set to yes
- Security.ProtectSystemNA - ProtectSystem shall be set
- Security.ProtectSystemNStrict - ProtectSystem shall be set to strict
- Security.RemoveIPC - RemoveIPC should be activated
- Security.RestrictRealtime - RestrictRealtime shall be set to yes
- Security.RestrictSUIDSGID - RestrictSUIDSGID shall be set to yes
- Security.RootDirectory - RootDirectory or RootImage shall be set to a non-root path
- Security.SupplementaryGroups - SupplementaryGroups shall be avoided
- Security.SystemCallArchitecturesMult - SystemCallArchitectures shouldn't be set for multiple archs
- Security.SystemCallArchitecturesNA - SystemCallArchitectures shall be set
- Security.UMaskGR - Files created by service are group-readbale
- Security.UMaskGW - Files created by service are group-writeable
- Security.UMaskOR - Files created by service are world-readbale
- Security.UMaskOW - Files created by service are world-writeable
- Security.UserNobody - User nobody is set for the service
- Security.UserRoot - User root is set for the service
- SettingRequires - The option requires another option to be set
- SettingRestricted - The option can't be set due to another option
- SyntaxError - The file is not parsable
- UnitSectionMissing - The Unit-section is missing in the file
- UnknownUnitType - The file extension of the file is not a known systemd one
- WrongFileMask - The file has a risky filemode set
Find the extension in the marketplace, or search for systemdlint-vscode