Settings for systemd units
Systemd allows fine-grained customization of units by defining so-called properties. These properties or settings influence what a unit, such as a service, can or can not do. As their is a wide range of settings, this page has the goal to present them, including a quick reference to each of them.
Articles for Units
Improve the security of services by defining what Linux capabilities are allowed with the help of systemd unit setting CapabilityBoundingSet.
Restrict systemd units to access devices in the /dev directory with the unit setting DeviceAllow. Learn how to configure it for your services.
Harden system and user services on Linux by restricting systemd units to access devices in the /dev directory with the unit setting DevicePolicy.
Harden system services by using the systemd unit settings such as ExecPaths and NoExecPaths to allow program execution from only specified paths.
Harden system and user services on Linux by limiting systemd units to access specified paths with the unit setting InaccessiblePaths.
Systemd can track the number of network packets and data traffic of services with unit setting IPAccounting. See how to configure this setting for services.
Harden services on Linux by using the systemd unit setting KeyringMode, which defines if the kernel session keyring information is available to the service.
Learn how to harden systemd units by preventing processes from switching their personality (kernel execution domain) with the LockPersonality setting.
Block the ability for systemd units to create or alter memory segments to become writable and executable as well with the unit setting MemoryDenyWriteExecute.
Harden system services by using the systemd unit settings such as NoExecPaths to disable program execution from specified paths.
Learn how to harden systemd unit by preventing processes and their children from obtaining new privilege with the NoNewPrivileges setting.
Harden Linux services using the systemd unit setting PrivateDevices, to restrict access to files in /dev and limit those to common pseudo-devices.
Harden Linux services using the systemd unit setting PrivateMounts, which gives the service the service its own mount namespace.
Harden Linux services by restricting systemd units to access the network interfaces of the host system using the PrivateNetwork unit setting.
Harden services on Linux by using the systemd unit setting PrivatePIDs, which allows running a service in its private PID namespace.
Learn how to harden systemd units by giving processes their own view on temporary directories /tmp and /var/tmp, preventing possible misuse.
Harden services on Linux with systemd unit setting PrivateUsers. It defines a new user namespace for the service and provides process capability isolation.
Harden system and user services by restricting systemd units to access information from the /proc directory with the unit setting ProcSubset.
Harden system and user services by restricting systemd units to access clock information with the ProtectClock unit setting.
Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectControlGroups unit setting.
Harden system and user services by restricting systemd units to access data in home directories with the unit setting ProtectHome.
Harden Linux system services by restricting systemd units to change the hostname or NIS domain name of the system with the unit setting ProtectHostname.
Secure system and user services by restricting systemd units to read or write to the kernel log ring buffer with the unit setting ProtectKernelLogs.
Secure system and user services by restricting systemd units to load kernel modules with the ProtectKernelModules unit setting.
Restrict systemd units to access information from the kernel tunables in the /proc and /sys directories with the unit setting ProtectKernelTunables.
Harden system and user services by restricting systemd units to access information from the /proc directory with the unit setting ProtectProc.
Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectSystem unit setting.
Harden system services on Linux by allowing systemd units to access only the specified paths with read permissions using the unit setting ReadOnlyPaths.
Harden system and user services on Linux by allowing systemd units access to only the specified paths to read or write with the unit setting ReadWritePaths.
Harden Linux system services by restricting systemd units to remove any Inter-Process Communication (IPC) objects are a service is stopped.
Harden system and user services on Linux by restricting systemd units using only the specified socket address families with setting RestrictAddressFamilies.
Harden system and user services on Linux by restricting systemd units to only use specified namespaces with the unit setting RestrictNamespaces.
Harden system and user services on Linux by restricting systemd units to use realtime scheduling with the unit setting RestrictRealtime.
Harden services by restricting systemd units to set the set-user-ID (suid) or set-group-ID (sgid) bit on files with the unit setting RestrictSUIDSGID.
Harden system and user services by configuring systemd units with more strict file permissions using the unit setting RuntimeDirectoryMode.
Harden Linux system services by restricting systemd units with the SecureBits setting, which enables special behavior related to Linux capabilities.
Harden system and user services by allowing systemd units to only use system call bind() on sockets specified with the unit setting SocketBindAllow.
Harden system and user services by restricting systemd units to use system call bind() on sockets specified with the unit setting SocketBindDeny.
Harden Linux services using the systemd unit setting SystemCallArchitectures, to restrict access to files in /dev and limit those to common pseudo-devices.
Harden system and users services, by defining if they are allowed to use specific syscalls or groups, with the use of systemd unit setting SystemCallFilter.
Harden system and user services by configuring systemd units with a strict umask value using the unit setting UMask. Learn how to configure it in your units.
Frequently Asked Questions
How to use systemctl edit?
Run systemctl with the 'edit' subcommand and service.
systemctl edit UNIT.serviceSee full answer at How to use systemctl edit to change a service?