User:Rdeckard/Secure Systemd

From ArchWiki

Discussion is here: Talk:Security#Using systemd for more secure services

Consider adding the following options in user-created or system systemd units.

File systems

  • ProtectHome=true
    • true makes /home, /root, and /run/user in accessible and empty for processes invoked by this unit.
    • read-only makes these three directories read-only.
  • ProtectSystem=strict
    • true mounts /usr and /boot as read-only for processes invoked by this unit.
    • full mounts /etc as read-only, too.
    • strict mounts the entire file system hierarchy as read-only except for the API file system subtrees /dev, /proc, and /sys.
  • PrivateDevices=true
  • ProtectKernelTunables=true
  • ProtectControlGroups=true
  • PrivateTmp=true


  • ProtectKernelModules=true


  • PrivateNetwork=true
  • RestrictAddressFamilies


  • MemoryDenyWriteExecute=true
  • RestrictRealtime=true

Restricting root

  • PrivateUsers=true