User:Rdeckard/Secure Systemd
Discussion is here: Talk:Security#Using systemd for more secure services
Consider adding the following options in user-created or system systemd units.
File systems
ProtectHome=true
true
makes/home
,/root
, and/run/user
in accessible and empty for processes invoked by this unit.read-only
makes these three directories read-only.
ProtectSystem=strict
true
mounts/usr
and/boot
as read-only for processes invoked by this unit.full
mounts/etc
as read-only, too.strict
mounts the entire file system hierarchy as read-only except for the API file system subtrees/dev
,/proc
, and/sys
.
PrivateDevices=true
ProtectKernelTunables=true
ProtectControlGroups=true
PrivateTmp=true
Kernel
ProtectKernelModules=true
Network
PrivateNetwork=true
RestrictAddressFamilies
Other
MemoryDenyWriteExecute=true
RestrictRealtime=true
Restricting root
PrivateUsers=true