diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml
index 8bc67a1ea8..7baa1794d7 100644
--- a/man/systemd-analyze.xml
+++ b/man/systemd-analyze.xml
@@ -1129,69 +1129,9 @@ $ systemd-analyze verify /tmp/source:alias.service
-
- JSON Policy
- The JSON file passed as a path parameter to
- has a top-level JSON object, with keys being the assessment test identifiers mentioned
- above. The values in the file should be JSON objects with one or more of the
- following fields: description_na (string), description_good (string), description_bad
- (string), weight (unsigned integer), and range (unsigned integer). If any of these fields
- corresponding to a specific id of the unit file is missing from the JSON object, the
- default built-in field value corresponding to that same id is used for security analysis
- as default. The weight and range fields are used in determining the overall exposure level
- of the unit files: the value of each setting is assigned a badness score, which is multiplied
- by the policy weight and divided by the policy range to determine the overall exposure that
- the setting implies. The computed badness is summed across all settings in the unit file,
- normalized to the 1…100 range, and used to determine the overall exposure level of the unit.
- By allowing users to manipulate these fields, the 'security' verb gives them the option to
- decide for themself which ids are more important and hence should have a greater effect on
- the exposure level. A weight of 0 means the setting will not be
- checked.
-
-
- {
- "PrivateDevices":
- {
- "description_good": "Service has no access to hardware devices",
- "description_bad": "Service potentially has access to hardware devices",
- "weight": 1000,
- "range": 1
- },
- "PrivateMounts":
- {
- "description_good": "Service cannot install system mounts",
- "description_bad": "Service may install system mounts",
- "weight": 1000,
- "range": 1
- },
- "PrivateNetwork":
- {
- "description_good": "Service has no access to the host's network",
- "description_bad": "Service has access to the host's network",
- "weight": 2500,
- "range": 1
- },
- "PrivateTmp":
- {
- "description_good": "Service has no access to other software's temporary files",
- "description_bad": "Service has access to other software's temporary files",
- "weight": 1000,
- "range": 1
- },
- "PrivateUsers":
- {
- "description_good": "Service does not have access to other users",
- "description_bad": "Service has access to other users",
- "weight": 1000,
- "range": 1
- }
- }
-
-
-
+ See example "JSON Policy" below.
-
@@ -1261,6 +1201,70 @@ $ systemd-analyze verify /tmp/source:alias.service
+
+ Examples
+
+
+ JSON Policy
+
+ The JSON file passed as a path parameter to has a top-level
+ JSON object, with keys being the assessment test identifiers mentioned above. The values in the file
+ should be JSON objects with one or more of the following fields:
+ (string), (string), (string),
+ (unsigned integer), and (unsigned integer). If any of
+ these fields corresponding to a specific id of the unit file is missing from the JSON object, the
+ default built-in field value corresponding to that same id is used for security analysis as default.
+ The weight and range fields are used in determining the overall exposure level of the unit files: the
+ value of each setting is assigned a badness score, which is multiplied by the policy weight and divided
+ by the policy range to determine the overall exposure that the setting implies. The computed badness is
+ summed across all settings in the unit file, normalized to the 1…100 range, and used to determine the
+ overall exposure level of the unit. By allowing users to manipulate these fields, the 'security' verb
+ gives them the option to decide for themself which ids are more important and hence should have a
+ greater effect on the exposure level. A weight of 0 means the setting will not be
+ checked.
+
+
+{
+ "PrivateDevices":
+ {
+ "description_good": "Service has no access to hardware devices",
+ "description_bad": "Service potentially has access to hardware devices",
+ "weight": 1000,
+ "range": 1
+ },
+ "PrivateMounts":
+ {
+ "description_good": "Service cannot install system mounts",
+ "description_bad": "Service may install system mounts",
+ "weight": 1000,
+ "range": 1
+ },
+ "PrivateNetwork":
+ {
+ "description_good": "Service has no access to the host's network",
+ "description_bad": "Service has access to the host's network",
+ "weight": 2500,
+ "range": 1
+ },
+ "PrivateTmp":
+ {
+ "description_good": "Service has no access to other software's temporary files",
+ "description_bad": "Service has access to other software's temporary files",
+ "weight": 1000,
+ "range": 1
+ },
+ "PrivateUsers":
+ {
+ "description_good": "Service does not have access to other users",
+ "description_bad": "Service has access to other users",
+ "weight": 1000,
+ "range": 1
+ }
+}
+
+
+
+
See Also