systemd is a system and service manager for Linux operating systems. When run as the first process at boot (as PID 1), it acts as an init system that invokes and manages services in user space.
There are several types of service:
- Service units, which start and control daemons and the processes that make them up.
- Socket units, which encapsulate local IPC or network sockets in the system, useful for socket-based activation.
- Target units are useful for grouping units or providing known synchronization points during the boot process.
- Device units represent kernel devices in systemd and can be used to implement device-based activation.
- Mount units control mount points in the file system.
- Automount units provide automount functions for on-demand file system mounts and parallelized boot.
- Timer units are useful for triggering the activation of other units based on timers.
- Swap units are very similar to mount units and encapsulate storage swap partitions or operating system files.
- Path units can be used to activate other services when file system objects change or are modified.
- Slice units can be used to group units that manage system processes (for example, service and scope units) into a hierarchical tree for resource management purposes.
- Scope units are similar to service units, but also manage third-party processes instead of starting them.
Systemd also provides a journald service that collects and stores logging data. This creates and maintains structured, indexed journals based on logging data that can be received from various sources (kernel log via kmsg, standard output and standard error, audit records from the kernel audit subsystem). Journalctl is a tool to query the data from the systemd-journald service.
Systemd also provides a logind service that manages user logins. It is responsible for the following:
- Checking users and sessions, their processes and their idle state.
- Creating and managing session ids
- Providing Polkit-based access for user actions such as shutting down the system.
- Handling hardware buttons for poweroff and sleep
- Multi-seat management
- Device access management
There is also:
- a resolved service that provides DNS resolution.
- a timesyncd service, for cross-network synchronization of the system clock.
- a tmpfiles service, to manage the /tmp.
- a udevd service to manage the /dev directory.
The Linux kernel can restrict access to the filesystem, network, devices, kernel capabilities and syscalls.
Systemd provides a command
systemd-analyze security to get an overview of the system. It should be
noted that other security features such as SELinux, AppArmor or built into the program are not taken
Afterwards the security can be evaluated per service with
systemd-analyze security myservice.service.
The individual options are described in the output, but can be read in the