DOCTEAM-1303: Securing systemd services #371
Conversation
Amrita42
changed the title
There was a problem hiding this comment.
@Amrita42 Many thanks! I'm struggling a bit with section 2. (id="systemd-example-secure-service") and section 2.1 (id="improving-overall-exposure") in the article (see remarks). 2.1 is a 'lone section' (there is no 2.2 or 2.3) which the style guide suggests to avoid. Maybe you can find a way to solve that.
| A detailed analysis of the security settings is executed and displayed. | ||
| If a service unit is not specified, all currently loaded, long-running service units are inspected and the results are displayed in a terse table. | ||
| </para> | ||
| <para>The command upon checking the security settings, assigns a numeric value , also known as <emphasis>exposure level</emphasis>. |
There was a problem hiding this comment.
| <para>The command upon checking the security settings, assigns a numeric value , also known as <emphasis>exposure level</emphasis>. | |
| <para>Upon checking the security settings, the command assigns a numeric value , also known as <emphasis>exposure level</emphasis>. |
There was a problem hiding this comment.
Leaving the final editing to Daria, but here I stumbled when reading the sentence because the original word order made it hard to understand the sentence at first glance.
| <meta name="maintainer" content="[email protected]" its:translate="no"/> | ||
| <abstract> | ||
| <para> | ||
| Use &systemd; to secure and strengthen services using specific directives and verify the same. |
There was a problem hiding this comment.
I would specify in the intro already which command you are referring to here (the concrete command is only mentioned in step 4 of the procedure). Maybe even use the same intro like in the following section?
Use the command <command>systemd-analyze security</command> to analyze the security settings of a &systemd; service.
| </step> | ||
| </procedure> | ||
| <section xml:id="improving-overall-exposure"> | ||
| <title>How to improve the overall exposure with options?</title> |
There was a problem hiding this comment.
| <title>How to improve the overall exposure with options?</title> | |
| <title>How to improve the exposure level</title> |
| <title>How to improve the overall exposure with options?</title> | ||
| <para>Use the command <command>systemd-analyze security</command> to analyze the security settings of a | ||
| &systemd; service. For example: </para> | ||
| <screen> |
There was a problem hiding this comment.
It's the same example like in the previous section (which is good in terms of consistency) but if you have a look at the PDF or HTML output both examples follow each other directly (end of p.4 and beginning of p.5). Therefore it looks to reader like content that is duplicated without a good reason. I would rather omit the example output here and instead give show how to run the systemd-analyze security command with one of the following options (so the readers have a concrete example to cling to before you give them the reference list of options.
| are retained by the service, and the service and any processes it creates cannot obtain | ||
| any other capabilities, not even via setuid binaries. | ||
| </para> | ||
| <tip> |
There was a problem hiding this comment.
Our schema does not enforce it but I would add a title to all admonitions (also tips) - makes it easier to spot at first sight what the admonition is about.
| <command>pscap</command> tool from the <package>libcap-ng-utils</package> package. | ||
| </para> | ||
| </tip> | ||
| <tip> |
There was a problem hiding this comment.
This is the second tip right behind the first... I tend to avoid that in order to not annoy the reader. Maybe consider turning the content of one of them into a normal para.
Description
Describe the overall goals of this pull request.
The scope is re-haul the existing article and add more content.
Are there any relevant issues/feature requests?
DOCTEAM-1303
Is this (based on) existing content?
Yes , based on existing content
https://documentation.suse.com/smart/security/html/systemd-securing/index.html#systemd-securing-techniques