Getting information about the boot process of your PC when running Linux is very easy. The Systemd framework can easily help with this.
The systemd-analyze command prints the time that is taken by the operating system to reach a usable state. This would be better on a faster SSD. But I am still using an HDD.
┌──[jason@192.168.1.3]─[~] └──╼ ╼ $ systemd-analyze Startup finished in 5.216s (kernel) + 2min 26.089s (userspace) = 2min 31.305s graphical.target reached after 2min 26.031s in userspace |
Use the systemd-analyze utility like this to generate an SVG plot of the actual bootup process. This shows everything that is run when your computer boots up.
┌──[jason@192.168.1.3]─[~] └──╼ ╼ $ systemd-analyze plot > plot.svg |
My bootup plot: https://securitronlinux.com/webp/plot.svg. This is an example of the output. This is a comprehensive layout of the whole system boot up.
To get security information about your Linux workstation, use the systemd-analyze security command. This will print information about the current security status of your machine.
┌──[jason@192.168.1.3]─[~] └──╼ ╼ $ systemd-analyze security UNIT EXPOSURE PREDICATE HAPPY ModemManager.service 5.8 MEDIUM 😐 NetworkManager.service 7.8 EXPOSED 🙁 accounts-daemon.service 9.6 UNSAFE 😨 acpid.service 9.6 UNSAFE 😨 alsa-state.service 9.6 UNSAFE 😨 anacron.service 9.6 UNSAFE 😨 apache2.service 9.2 UNSAFE 😨 apport.service 9.6 UNSAFE 😨 auditd.service 9.5 UNSAFE 😨 avahi-daemon.service 9.6 UNSAFE 😨 blueman-mechanism.service 9.6 UNSAFE 😨 clamav-freshclam.service 9.6 UNSAFE 😨 colord.service 8.8 EXPOSED 🙁 cron.service 9.6 UNSAFE 😨 cups-browsed.service 9.6 UNSAFE 😨 cups.service 9.6 UNSAFE 😨 auditd.service 9.5 UNSAFE 😨 avahi-daemon.service 9.6 UNSAFE 😨 blueman-mechanism.service 9.6 UNSAFE 😨 clamav-freshclam.service 9.6 UNSAFE 😨 colord.service 8.8 EXPOSED 🙁 cron.service 9.6 UNSAFE 😨 cups-browsed.service 9.6 UNSAFE 😨 cups.service 9.6 UNSAFE 😨 UNIT EXPOSURE PREDICATE HAPPY |
Then you may also print information about a certain service.
┌──[jason@192.168.1.3]─[~] └──╼ ╼ $ systemd-analyze security ssh NAME DESCRIPTION EXPOSURE ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ User=/DynamicUser= Service runs as root user 0.4 ✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capabilities 0.3 ✗ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has administrator privileges 0.3 ✗ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has ptrace() debugging abilities 0.3 ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 ✗ RestrictNamespaces=~CLONE_NEWUSER Service may create user namespaces 0.3 ✗ RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3 ✗ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service may change file ownership/access mode/capabilities unrestricted 0.2 ✗ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service may override UNIX file/IPC permission checks 0.2 ✗ CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration privileges 0.2 ✗ CapabilityBoundingSet=~CAP_RAWIO Service has raw I/O access 0.2 ✗ CapabilityBoundingSet=~CAP_SYS_MODULE Service may load kernel modules 0.2 ✗ CapabilityBoundingSet=~CAP_SYS_TIME Service processes may change the system clock 0.2 ✗ DeviceAllow= Service has no device ACL 0.2 ✗ IPAddressDeny= Service does not define an IP address whitelist 0.2 ✓ KeyringMode= Service doesn't share key material with other services ✗ NoNewPrivileges= Service processes may acquire new privileges 0.2 ✓ NotifyAccess= Service child processes cannot alter service state ✗ PrivateDevices= Service potentially has access to hardware devices 0.2 ✗ PrivateMounts= Service may install system mounts 0.2 ✗ PrivateTmp= Service has access to other software's temporary files 0.2 ✗ PrivateUsers= Service has access to other users 0.2 ✗ ProtectClock= Service may write to the hardware clock or system clock 0.2 ✗ ProtectControlGroups= Service may modify the control group file system 0.2 ✗ ProtectHome= Service has full access to home directories 0.2 ✗ ProtectKernelLogs= Service may read from or write to the kernel log ring buffer 0.2 ✗ ProtectKernelModules= Service may load or read kernel modules 0.2 ✗ ProtectKernelTunables= Service may alter kernel tunables 0.2 ✗ ProtectSystem= Service has full access to the OS file hierarchy 0.2 ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2 ✗ RestrictSUIDSGID= Service may create SUID/SGID files 0.2 |
At the end of the output, it will print a message with the overall exposure level of the service. But this is related to the sandboxing features in Systemd and not the services themselves. But these can be configured easily.
More information here: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing.
