Settings for systemd units

Systemd allows fine-grained customization of units by defining so-called properties. These properties or settings influence what a unit, such as a service, can or can not do. As their is a wide range of settings, this page has the goal to present them, including a quick reference to each of them.

Articles for Units

CapabilityBoundingSet setting

Improve the security of services by defining what Linux capabilities are allowed with the help of systemd unit setting CapabilityBoundingSet.

DeviceAllow setting

Restrict systemd units to access devices in the /dev directory with the unit setting DeviceAllow. Learn how to configure it for your services.

DevicePolicy setting

Harden system and user services on Linux by restricting systemd units to access devices in the /dev directory with the unit setting DevicePolicy.

ExecPaths setting

Harden system services by using the systemd unit settings such as ExecPaths and NoExecPaths to allow program execution from only specified paths.

InaccessiblePaths setting

Harden system and user services on Linux by limiting systemd units to access specified paths with the unit setting InaccessiblePaths.

IPAccounting setting

Systemd can track the number of network packets and data traffic of services with unit setting IPAccounting. See how to configure this setting for services.

KeyringMode setting

Harden services on Linux by using the systemd unit setting KeyringMode, which defines if the kernel session keyring information is available to the service.

LockPersonality setting

Learn how to harden systemd units by preventing processes from switching their personality (kernel execution domain) with the LockPersonality setting.

MemoryDenyWriteExecute setting

Block the ability for systemd units to create or alter memory segments to become writable and executable as well with the unit setting MemoryDenyWriteExecute.

NoExecPaths setting

Harden system services by using the systemd unit settings such as NoExecPaths to disable program execution from specified paths.

NoNewPrivileges setting

Learn how to harden systemd unit by preventing processes and their children from obtaining new privilege with the NoNewPrivileges setting.

PrivateDevices setting

Harden Linux services using the systemd unit setting PrivateDevices, to restrict access to files in /dev and limit those to common pseudo-devices.

PrivateMounts setting

Harden Linux services using the systemd unit setting PrivateMounts, which gives the service the service its own mount namespace.

PrivateNetwork setting

Harden Linux services by restricting systemd units to access the network interfaces of the host system using the PrivateNetwork unit setting.

PrivatePIDs setting

Harden services on Linux by using the systemd unit setting PrivatePIDs, which allows running a service in its private PID namespace.

PrivateTmp setting

Learn how to harden systemd units by giving processes their own view on temporary directories /tmp and /var/tmp, preventing possible misuse.

PrivateUsers setting

Harden services on Linux with systemd unit setting PrivateUsers. It defines a new user namespace for the service and provides process capability isolation.

ProcSubset setting

Harden system and user services by restricting systemd units to access information from the /proc directory with the unit setting ProcSubset.

ProtectClock setting

Harden system and user services by restricting systemd units to access clock information with the ProtectClock unit setting.

ProtectControlGroups setting

Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectControlGroups unit setting.

ProtectHome setting

Harden system and user services by restricting systemd units to access data in home directories with the unit setting ProtectHome.

ProtectHostname setting

Harden Linux system services by restricting systemd units to change the hostname or NIS domain name of the system with the unit setting ProtectHostname.

ProtectKernelLogs setting

Secure system and user services by restricting systemd units to read or write to the kernel log ring buffer with the unit setting ProtectKernelLogs.

ProtectKernelModules setting

Secure system and user services by restricting systemd units to load kernel modules with the ProtectKernelModules unit setting.

ProtectKernelTunables setting

Restrict systemd units to access information from the kernel tunables in the /proc and /sys directories with the unit setting ProtectKernelTunables.

ProtectProc setting

Harden system and user services by restricting systemd units to access information from the /proc directory with the unit setting ProtectProc.

ProtectSystem setting

Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectSystem unit setting.

ReadOnlyPaths setting

Harden system services on Linux by allowing systemd units to access only the specified paths with read permissions using the unit setting ReadOnlyPaths.

ReadWritePaths setting

Harden system and user services on Linux by allowing systemd units access to only the specified paths to read or write with the unit setting ReadWritePaths.

RemoveIPC setting

Harden Linux system services by restricting systemd units to remove any Inter-Process Communication (IPC) objects are a service is stopped.

RestrictAddressFamilies setting

Harden system and user services on Linux by restricting systemd units using only the specified socket address families with setting RestrictAddressFamilies.

RestrictNamespaces setting

Harden system and user services on Linux by restricting systemd units to only use specified namespaces with the unit setting RestrictNamespaces.

RestrictRealtime setting

Harden system and user services on Linux by restricting systemd units to use realtime scheduling with the unit setting RestrictRealtime.

RestrictSUIDSGID setting

Harden services by restricting systemd units to set the set-user-ID (suid) or set-group-ID (sgid) bit on files with the unit setting RestrictSUIDSGID.

RuntimeDirectoryMode setting

Harden system and user services by configuring systemd units with more strict file permissions using the unit setting RuntimeDirectoryMode.

SecureBits setting

Harden Linux system services by restricting systemd units with the SecureBits setting, which enables special behavior related to Linux capabilities.

SocketBindAllow setting

Harden system and user services by allowing systemd units to only use system call bind() on sockets specified with the unit setting SocketBindAllow.

SocketBindDeny setting

Harden system and user services by restricting systemd units to use system call bind() on sockets specified with the unit setting SocketBindDeny.

SystemCallArchitectures setting

Harden Linux services using the systemd unit setting SystemCallArchitectures, to restrict access to files in /dev and limit those to common pseudo-devices.

SystemCallFilter setting

Harden system and users services, by defining if they are allowed to use specific syscalls or groups, with the use of systemd unit setting SystemCallFilter.

UMask setting

Harden system and user services by configuring systemd units with a strict umask value using the unit setting UMask. Learn how to configure it in your units.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?