Systemd Talks Up Automatic Boot Assessment in Light of the CrowdStrike Outage
In response to the CrowdStrike-Microsoft outage, systemd's lead developer, Lennart Poettering, promotes systemd's Automatic Boot Assessment for Linux systems. Despite its support, major distributions have not adopted it. Poettering stresses the importance of implementing such features for system security and recovery.
Read original article
In response to the recent CrowdStrike-Microsoft outage affecting Windows systems, systemd's lead developer, Lennart Poettering, highlighted the potential of systemd's Automatic Boot Assessment feature to prevent similar incidents on Linux systems. This functionality enables automatic reversion to a previous OS or kernel version in case of boot failures, providing easier recovery. Despite systemd's long-standing support for this feature, major Linux distributions have yet to adopt it. Poettering emphasized the importance of implementing boot counting and automatic fallback mechanisms as standard practices in modern systems to enhance security and robustness. He criticized commercial distros for not integrating this feature and highlighted the need for improved boot stack security. Those interested in learning more about systemd's Automatic Boot Assessment feature can find additional information on systemd.io.
Related
Systemd Looks to Replace sudo with run0
Systemd introduces "run0" to replace sudo in Linux. It offers secure user elevation without SUID, using a service manager for command execution. Creator Poettering aims for enhanced security and usability. Systemd 256 with run0 is on GitHub for testing.
Lennart Poettering: Fitting Everything Together
The blog post explores integrating systemd components for Linux OS development, emphasizing hermetic /usr/ design, image-based OS with security features, self-updating systems, and community-driven desktop OS with advanced security measures.
6 commentsHowever good or bad the intentions and ideas here might be, the project has demonstrated many times over that it is not capable of reliably filling the roles to which it aspires. I'm not interested in extending its reach even further.
In short, no thanks.
Ubuntu Core (eg. for the upcoming immutable desktop) also supports this kind of thing fully automatically.
So it's not just systemd and the alternatives are widely deployed already.
But anyway as others point out it won't mitigate risk on a system that injects bad code from outside of the boot process.
It's probably the worse thing to do to give the key to the boot kingdom to systemd, doing random things to your configuration when it feels so...
systemd.io/AUTOMATIC_BOOT_ASSESSMENT/ : https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT/
From https://news.ycombinator.com/item?id=29995566 :
> Which distro has the best out-of-the-box output for:?
systemd-analyze security
And also automatic variance in boot sequences with timeouts.
Where does it explain that a systemd service unit is always failing at boot?
Any assessment systemd could have done would see failure to boot, and would either try to roll back to a kernel with an old agent module version, which would probably do the same thing, or go back to a kernel without the Crowd Strike Module at all if available.
Computers aren't magic. They don't know things. They can't bisect their own configuration or intuit what subcomponent caused what behavior. That's your job.
Related
Systemd Looks to Replace sudo with run0
Systemd introduces "run0" to replace sudo in Linux. It offers secure user elevation without SUID, using a service manager for command execution. Creator Poettering aims for enhanced security and usability. Systemd 256 with run0 is on GitHub for testing.
Lennart Poettering: Fitting Everything Together
The blog post explores integrating systemd components for Linux OS development, emphasizing hermetic /usr/ design, image-based OS with security features, self-updating systems, and community-driven desktop OS with advanced security measures.