Configuration articles

Last change: 2025-01-06

Harden Linux system services by restricting systemd units with the SecureBits setting, which enables special behavior related to Linux capabilities.

Last change: 2025-01-06

Harden Linux system services by restricting systemd units to remove any Inter-Process Communication (IPC) objects are a service is stopped.

Last change: 2025-01-06

Harden services on Linux with systemd unit setting PrivateUsers. It defines a new user namespace for the service and provides process capability isolation.

Last change: 2025-01-06

Harden services on Linux by using the systemd unit setting KeyringMode, which defines if the kernel session keyring information is available to the service.

Last change: 2025-01-06

Harden Linux system services by restricting systemd units to change the hostname or NIS domain name of the system with the unit setting ProtectHostname.

Last change: 2025-01-06

Harden system services on Linux by allowing systemd units to access only the specified paths with read permissions using the unit setting ReadOnlyPaths.

Last change: 2025-01-06

Harden Linux services using the systemd unit setting PrivateMounts, which gives the service the service its own mount namespace.

Last change: 2025-01-10

Harden the Dovecot IMAP and POP3 server configuration with the help of this predefined profile and leverage systemd sandboxing capabilities.

Last change: 2025-01-06

Harden Linux services by restricting systemd units to access the network interfaces of the host system using the PrivateNetwork unit setting.

Last change: 2025-01-06

Harden services on Linux by using the systemd unit setting PrivatePIDs, which allows running a service in its private PID namespace.

Last change: 2025-01-06

Harden the Apache web server configuration with the help of this predefined profile that implements systemd sandboxing capabilities and restricting resources.

Last change: 2025-01-06

Systemd can track the number of network packets and data traffic of services with unit setting IPAccounting. See how to configure this setting for services.

Last change: 2025-01-06

Tighten the already secure OpenSMTPD software on Linux by using this predefined profile that uses the systemd sandboxing options.

Last change: 2025-01-06

Harden system and user services by configuring systemd units with more strict file permissions using the unit setting RuntimeDirectoryMode.

Last change: 2025-01-06

A healthy service should not have configuration issues. Perform a configuration test of the SSH daemon (sshd) by first running it using the '-t' option.

Last change: 2025-01-06

Harden system and user services by configuring systemd units with a strict umask value using the unit setting UMask. Learn how to configure it in your units.

Last change: 2025-01-06

Harden system and user services on Linux by restricting systemd units to use realtime scheduling with the unit setting RestrictRealtime.

Last change: 2025-01-06

Harden services by restricting systemd units to set the set-user-ID (suid) or set-group-ID (sgid) bit on files with the unit setting RestrictSUIDSGID.

Last change: 2025-01-06

Harden system and user services on Linux by restricting systemd units to only use specified namespaces with the unit setting RestrictNamespaces.

Last change: 2025-01-06

Improve the security of services by defining what Linux capabilities are allowed with the help of systemd unit setting CapabilityBoundingSet.

Last change: 2025-01-06

Restrict systemd units to access information from the kernel tunables in the /proc and /sys directories with the unit setting ProtectKernelTunables.

Last change: 2025-01-06

Learn how to harden systemd units by preventing processes from switching their personality (kernel execution domain) with the LockPersonality setting.

Last change: 2025-01-06

Learn how to harden systemd unit by preventing processes and their children from obtaining new privilege with the NoNewPrivileges setting.

Last change: 2025-01-07

Harden Linux services using the systemd unit setting SystemCallArchitectures, to restrict access to files in /dev and limit those to common pseudo-devices.

Last change: 2025-01-06

Harden Linux services using the systemd unit setting PrivateDevices, to restrict access to files in /dev and limit those to common pseudo-devices.

Last change: 2025-01-06

Learn how to harden systemd units by giving processes their own view on temporary directories /tmp and /var/tmp, preventing possible misuse.

Last change: 2025-01-06

Harden system services by using the systemd unit settings such as NoExecPaths to disable program execution from specified paths.

Last change: 2025-01-07

Harden system services by using the systemd unit settings such as ExecPaths and NoExecPaths to allow program execution from only specified paths.

Last change: 2025-01-06

Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectControlGroups unit setting.

Last change: 2025-01-06

Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectSystem unit setting.

Last change: 2025-01-06

Harden system and user services by restricting systemd units to access clock information with the ProtectClock unit setting.

Last change: 2025-01-06

Harden the nginx configuration with the help of this predefined profile that implements systemd sandboxing capabilities and restricting resources.

Last change: 2025-01-06

Harden system and user services by allowing systemd units to only use system call bind() on sockets specified with the unit setting SocketBindAllow.

Last change: 2025-01-06

Harden system and user services by restricting systemd units to use system call bind() on sockets specified with the unit setting SocketBindDeny.

Last change: 2025-01-07

Harden system and user services on Linux by restricting systemd units to access devices in the /dev directory with the unit setting DevicePolicy.

Last change: 2025-01-06

Restrict systemd units to access devices in the /dev directory with the unit setting DeviceAllow. Learn how to configure it for your services.

Last change: 2025-01-06

Harden system and users services, by defining if they are allowed to use specific syscalls or groups, with the use of systemd unit setting SystemCallFilter.

Last change: 2025-01-06

Block the ability for systemd units to create or alter memory segments to become writable and executable as well with the unit setting MemoryDenyWriteExecute.

Last change: 2025-01-06

Harden system and user services on Linux by limiting systemd units to access specified paths with the unit setting InaccessiblePaths.

Last change: 2025-01-06

Harden system and user services on Linux by allowing systemd units access to only the specified paths to read or write with the unit setting ReadWritePaths.

Last change: 2025-01-06

Harden system and user services by restricting systemd units to access information from the /proc directory with the unit setting ProcSubset.

Last change: 2025-01-06

Harden system and user services on Linux by restricting systemd units using only the specified socket address families with setting RestrictAddressFamilies.

Last change: 2025-01-06

Harden system and user services by restricting systemd units to access information from the /proc directory with the unit setting ProtectProc.

Last change: 2025-01-06

Harden system and user services by restricting systemd units to access data in home directories with the unit setting ProtectHome.

Last change: 2025-01-06

Secure system and user services by restricting systemd units to read or write to the kernel log ring buffer with the unit setting ProtectKernelLogs.

Last change: 2025-01-06

Secure system and user services by restricting systemd units to load kernel modules with the ProtectKernelModules unit setting.

Last change: 2025-01-07

The configuration file /etc/ssh/ssh_config contains settings related to the OpenSSH client. Learn more about this file its configuration.

Last change: 2025-01-07

The configuration file /etc/ssh/sshd_config contains settings related to the OpenSSH server daemon. Learn more about this file its configuration.