Configuration
UMask setting
Harden services by configuring systemd units with a strict umask value using the unit setting UMask.
RestrictRealtime setting
Harden services by restricting systemd units to use realtime scheduling with the unit setting RestrictRealtime.
RestrictSUIDSGID setting
Harden services by restricting systemd units to set the set-user-ID (suid) or set-group-ID (sgid) bit on files with the unit setting RestrictSUIDSGID.
RestrictNamespaces setting
Harden services by restricting systemd units to only specified namespaces with the unit setting RestrictNamespaces.
CapabilityBoundingSet setting
Define if systemd units are allowed to use specific Linux capabilities the unit setting CapabilityBoundingSet.
ProtectKernelTunables setting
Restrict systemd units to access information from the kernel tunables in the /proc and /sys directories with the unit setting ProtectKernelTunables.
LockPersonality setting
Learn how to harden systemd unit by preventing processes and their children from switching their personality, a kernel execution domain, with the LockPersonality setting.
NoNewPrivileges setting
Learn how to harden systemd unit by preventing processes and their children from obtaining new privilege with the NoNewPrivileges setting.
SystemCallArchitectures setting
Harden Linux services using the systemd unit setting SystemCallArchitectures, to restrict access to files in /dev and limit those to common pseudo-devices.
PrivateDevices setting
Harden Linux services using the systemd unit setting PrivateDevices, to restrict access to files in /dev and limit those to common pseudo-devices.
PrivateTmp setting
Learn how to harden systemd units by giving processes their own view on temporary directories /tmp and /var/tmp, preventing possible misuse.
NoExecPaths setting
Harden system services by using the systemd unit settings such as NoExecPaths to disable program execution from specified paths.
ExecPaths setting
Harden system services by using the systemd unit settings such as ExecPaths and NoExecPaths to allow program execution from only specified paths.
ProtectControlGroups setting
Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectControlGroups unit setting.
ProtectSystem setting
Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectSystem unit setting.
ProtectClock setting
Learn how to harden systemd units by limiting access to clock information with the ProtectClock unit setting.
Nginx hardening profile
Harden the nginx configuration with the help of systemd sandboxing capabilities and restricting resources.
SocketBindAllow setting
Allow systemd units to use system call bind() on sockets specified with the unit setting SocketBindAllow.
SocketBindDeny setting
Restrict systemd units to use system call bind() on sockets specified with the unit setting SocketBindDeny.
DevicePolicy setting
Restrict systemd units to access devices in the /dev directory with the unit setting DevicePolicy.
DeviceAllow setting
Restrict systemd units to access devices in the /dev directory with the unit setting DeviceAllow.
SystemCallFilter setting
Define if systemd units are allowed to use specific syscalls or groups with the unit setting SystemCallFilter.
MemoryDenyWriteExecute setting
Block the ability for systemd units to create or alter memory segments to become writable and executable as well with the unit setting MemoryDenyWriteExecute.
InaccessiblePaths setting
Block systemd units to access specified paths with the unit setting InaccessiblePaths.
ReadWritePaths setting
Grant systemd units to specified paths to read from and write to new or existing files with the unit setting ReadWritePaths.
ProcSubset setting
Restrict systemd units to access information from the /proc directory with the unit setting ProcSubset.
RestrictAddressFamilies setting
Restrict systemd units using only specified socket address families with the unit setting RestrictAddressFamilies.
ProtectProc setting
Restrict systemd units to access information from the /proc directory with the unit setting ProtectProc.
ProtectHome setting
Restrict systemd units to access data in home directories with the unit setting ProtectHome.
ProtectKernelLogs setting
Restrict systemd units to read or write to the kernel log ring buffer with the unit setting ProtectKernelLogs.
ProtectKernelModules setting
Restrict systemd units to load kernel modules with the ProtectKernelModules unit setting.
/etc/ssh/ssh_config
The configuration file /etc/ssh/ssh_config contains settings related to the OpenSSH client. Learn more about this file its configuration.
/etc/ssh/sshd_config
The configuration file /etc/ssh/sshd_config contains settings related to the OpenSSH server daemon. Learn more about this file its configuration.