Configuration

Apache hardening profile

Harden the Apache web server configuration with the help of this predefined profile that implements systemd sandboxing capabilities and restricting resources.

IPAccounting setting

Systemd can track the number of network packets and data traffic of services with unit setting IPAccounting. See how to configure this setting for services.

OpenSMTPD hardening profile

Tighten the already secure OpenSMTPD software on Linux by using this predefined profile that uses the systemd sandboxing options.

RuntimeDirectoryMode setting

Harden system and user services by configuring systemd units with more strict file permissions using the unit setting RuntimeDirectoryMode.

How to test the sshd configuration for configuration errors?

A healthy service should not have configuration issues. Perform a configuration test of the SSH daemon (sshd) by first running it using the '-t' option.

UMask setting

Harden system and user services by configuring systemd units with a strict umask value using the unit setting UMask. Learn how to configure it in your units.

RestrictRealtime setting

Harden system and user services on Linux by restricting systemd units to use realtime scheduling with the unit setting RestrictRealtime.

RestrictSUIDSGID setting

Harden services by restricting systemd units to set the set-user-ID (suid) or set-group-ID (sgid) bit on files with the unit setting RestrictSUIDSGID.

RestrictNamespaces setting

Harden system and user services on Linux by restricting systemd units to only use specified namespaces with the unit setting RestrictNamespaces.

CapabilityBoundingSet setting

Improve the security of services by defining what Linux capabilities are allowed with the help of systemd unit setting CapabilityBoundingSet.

ProtectKernelTunables setting

Restrict systemd units to access information from the kernel tunables in the /proc and /sys directories with the unit setting ProtectKernelTunables.

LockPersonality setting

Learn how to harden systemd units by preventing processes from switching their personality (kernel execution domain) with the LockPersonality setting.

NoNewPrivileges setting

Learn how to harden systemd unit by preventing processes and their children from obtaining new privilege with the NoNewPrivileges setting.

SystemCallArchitectures setting

Harden Linux services using the systemd unit setting SystemCallArchitectures, to restrict access to files in /dev and limit those to common pseudo-devices.

PrivateDevices setting

Harden Linux services using the systemd unit setting PrivateDevices, to restrict access to files in /dev and limit those to common pseudo-devices.

PrivateTmp setting

Learn how to harden systemd units by giving processes their own view on temporary directories /tmp and /var/tmp, preventing possible misuse.

NoExecPaths setting

Harden system services by using the systemd unit settings such as NoExecPaths to disable program execution from specified paths.

ExecPaths setting

Harden system services by using the systemd unit settings such as ExecPaths and NoExecPaths to allow program execution from only specified paths.

ProtectControlGroups setting

Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectControlGroups unit setting.

ProtectSystem setting

Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectSystem unit setting.

ProtectClock setting

Harden system and user services by restricting systemd units to access clock information with the ProtectClock unit setting.

Nginx hardening profile

Harden the nginx configuration with the help of this predefined profile that implements systemd sandboxing capabilities and restricting resources.

SocketBindAllow setting

Harden system and user services by allowing systemd units to only use system call bind() on sockets specified with the unit setting SocketBindAllow.

SocketBindDeny setting

Harden system and user services by restricting systemd units to use system call bind() on sockets specified with the unit setting SocketBindDeny.

DevicePolicy setting

Harden system and user services on Linux by restricting systemd units to access devices in the /dev directory with the unit setting DevicePolicy.

DeviceAllow setting

Restrict systemd units to access devices in the /dev directory with the unit setting DeviceAllow. Learn how to configure it for your services.

SystemCallFilter setting

Harden system and users services, by defining if they are allowed to use specific syscalls or groups, with the use of systemd unit setting SystemCallFilter.

MemoryDenyWriteExecute setting

Block the ability for systemd units to create or alter memory segments to become writable and executable as well with the unit setting MemoryDenyWriteExecute.

InaccessiblePaths setting

Harden system and user services on Linux by limiting systemd units to access specified paths with the unit setting InaccessiblePaths.

ReadWritePaths setting

Harden system and user services on Linux by allowing systemd units access to only the specified paths to read or write with the unit setting ReadWritePaths.

ProcSubset setting

Harden system and user services by restricting systemd units to access information from the /proc directory with the unit setting ProcSubset.

RestrictAddressFamilies setting

Harden system and user services on Linux by restricting systemd units using only the specified socket address families with setting RestrictAddressFamilies.

ProtectProc setting

Harden system and user services by restricting systemd units to access information from the /proc directory with the unit setting ProtectProc.

ProtectHome setting

Harden system and user services by restricting systemd units to access data in home directories with the unit setting ProtectHome.

ProtectKernelLogs setting

Secure system and user services by restricting systemd units to read or write to the kernel log ring buffer with the unit setting ProtectKernelLogs.

ProtectKernelModules setting

Secure system and user services by restricting systemd units to load kernel modules with the ProtectKernelModules unit setting.

/etc/ssh/ssh_config

The configuration file /etc/ssh/ssh_config contains settings related to the OpenSSH client. Learn more about this file its configuration.

/etc/ssh/sshd_config

The configuration file /etc/ssh/sshd_config contains settings related to the OpenSSH server daemon. Learn more about this file its configuration.