systemd-analyze: add new 'security' option to compare unit's overall exposure level with

--threshold option added to work with security verb and with the --offline option so that
users can determine what qualifies as a security threat. The threshold set by the user is
compared with the overall exposure level assigned to a unit file and if the exposure is
higher than the threshold, 'security' will return a non-zero exit status. The default value
of the --threshold option is 100.

Example Run:

1. testcase.service is a unit file created for testing the --threshold option

    maanya-goenka@debian:~/systemd (systemd-security)$ cat<<EOF>testcase.service

    > [Service]
    > ExecStart = echo hello
    > EOF

    For the purposes of this demo, the security table outputted below has been cut to show only the first two security settings.

    maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service
    /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
    process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
    Support for KillMode=none is deprecated and will eventually be removed.
    /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
    unit file, and consider removing the setting altogether.
    /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
    /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

      NAME                                        DESCRIPTION                                                       EXPOSURE
    ✗ PrivateNetwork=                             Service has access to the host's network                          0.5
    ✗ User=/DynamicUser=                          Service runs as root user                                         0.4

    → Overall exposure level for testcase.service: 9.6 UNSAFE 😨

    maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0

2. Next, we use the same testcase.service file but add an additional --threshold=60 parameter. We would expect 'security' to exit
   with a non-zero status because the overall exposure level (= 96) is higher than the set threshold (= 60).

    maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true --threshold=60 testcase.service
    /usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
    process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
    Support for KillMode=none is deprecated and will eventually be removed.
    /usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
    unit file, and consider removing the setting altogether.
    /usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
    /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.

      NAME                                        DESCRIPTION                                                       EXPOSURE
    ✗ PrivateNetwork=                             Service has access to the host's network                          0.5
    ✗ User=/DynamicUser=                          Service runs as root user                                         0.4

    → Overall exposure level for testcase.service: 9.6 UNSAFE 😨

    maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 1

2 files changed, 2 insertions, 1 deletions

diff --git a/shell-completion/bash/systemd-analyze b/shell-completion/bash/systemd-analyze
index b7b92f0e00..6f33d53cfc 100644
--- a/shell-completion/bash/systemd-analyze
+++ b/shell-completion/bash/systemd-analyze
@@ -144,7 +144,7 @@ _systemd_analyze() {
 
     elif __contains_word "$verb" ${VERBS[SECURITY]}; then
         if [[ $cur = -* ]]; then
-            comps='--help --version --no-pager --system --user -H --host -M --machine --offline'
+            comps='--help --version --no-pager --system --user -H --host -M --machine --offline --threshold'
         else
             if __contains_word "--user" ${COMP_WORDS[*]}; then
                 mode=--user
diff --git a/shell-completion/zsh/_systemd-analyze b/shell-completion/zsh/_systemd-analyze
index 6db4da6a35..f91357cb61 100644
--- a/shell-completion/zsh/_systemd-analyze
+++ b/shell-completion/zsh/_systemd-analyze
@@ -91,6 +91,7 @@ _arguments \
     '--image=[Add support for discrete images]:PATH' \
     '--recursive-errors=[When verifying a unit, control dependency verification]:MODE' \
     '--offline=[Perform a security review of the specified unit file(s)]:BOOL' \
+    '--threshold=[Set a value to compare the overall security exposure level with]: NUMBER' \
     '--no-pager[Do not pipe output into a pager]' \
     '--man=[Do (not) check for existence of man pages]:boolean:(1 0)' \
     '--order[When generating graph for dot, show only order]' \