Configuration
Apache hardening profile
Harden the Apache web server configuration with the help of this predefined profile that implements systemd sandboxing capabilities and restricting resources.
IPAccounting setting
Systemd can track the number of network packets and data traffic of services with unit setting IPAccounting. See how to configure this setting for services.
OpenSMTPD hardening profile
Tighten the already secure OpenSMTPD software on Linux by using this predefined profile that uses the systemd sandboxing options.
RuntimeDirectoryMode setting
Harden system and user services by configuring systemd units with more strict file permissions using the unit setting RuntimeDirectoryMode.
How to test the sshd configuration for configuration errors?
A healthy service should not have configuration issues. Perform a configuration test of the SSH daemon (sshd) by first running it using the '-t' option.
UMask setting
Harden system and user services by configuring systemd units with a strict umask value using the unit setting UMask. Learn how to configure it in your units.
RestrictRealtime setting
Harden system and user services on Linux by restricting systemd units to use realtime scheduling with the unit setting RestrictRealtime.
RestrictSUIDSGID setting
Harden services by restricting systemd units to set the set-user-ID (suid) or set-group-ID (sgid) bit on files with the unit setting RestrictSUIDSGID.
RestrictNamespaces setting
Harden system and user services on Linux by restricting systemd units to only use specified namespaces with the unit setting RestrictNamespaces.
CapabilityBoundingSet setting
Improve the security of services by defining what Linux capabilities are allowed with the help of systemd unit setting CapabilityBoundingSet.
ProtectKernelTunables setting
Restrict systemd units to access information from the kernel tunables in the /proc and /sys directories with the unit setting ProtectKernelTunables.
LockPersonality setting
Learn how to harden systemd units by preventing processes from switching their personality (kernel execution domain) with the LockPersonality setting.
NoNewPrivileges setting
Learn how to harden systemd unit by preventing processes and their children from obtaining new privilege with the NoNewPrivileges setting.
SystemCallArchitectures setting
Harden Linux services using the systemd unit setting SystemCallArchitectures, to restrict access to files in /dev and limit those to common pseudo-devices.
PrivateDevices setting
Harden Linux services using the systemd unit setting PrivateDevices, to restrict access to files in /dev and limit those to common pseudo-devices.
PrivateTmp setting
Learn how to harden systemd units by giving processes their own view on temporary directories /tmp and /var/tmp, preventing possible misuse.
NoExecPaths setting
Harden system services by using the systemd unit settings such as NoExecPaths to disable program execution from specified paths.
ExecPaths setting
Harden system services by using the systemd unit settings such as ExecPaths and NoExecPaths to allow program execution from only specified paths.
ProtectControlGroups setting
Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectControlGroups unit setting.
ProtectSystem setting
Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectSystem unit setting.
ProtectClock setting
Harden system and user services by restricting systemd units to access clock information with the ProtectClock unit setting.
Nginx hardening profile
Harden the nginx configuration with the help of this predefined profile that implements systemd sandboxing capabilities and restricting resources.
SocketBindAllow setting
Harden system and user services by allowing systemd units to only use system call bind() on sockets specified with the unit setting SocketBindAllow.
SocketBindDeny setting
Harden system and user services by restricting systemd units to use system call bind() on sockets specified with the unit setting SocketBindDeny.
DevicePolicy setting
Harden system and user services on Linux by restricting systemd units to access devices in the /dev directory with the unit setting DevicePolicy.
DeviceAllow setting
Restrict systemd units to access devices in the /dev directory with the unit setting DeviceAllow. Learn how to configure it for your services.
SystemCallFilter setting
Harden system and users services, by defining if they are allowed to use specific syscalls or groups, with the use of systemd unit setting SystemCallFilter.
MemoryDenyWriteExecute setting
Block the ability for systemd units to create or alter memory segments to become writable and executable as well with the unit setting MemoryDenyWriteExecute.
InaccessiblePaths setting
Harden system and user services on Linux by limiting systemd units to access specified paths with the unit setting InaccessiblePaths.
ReadWritePaths setting
Harden system and user services on Linux by allowing systemd units access to only the specified paths to read or write with the unit setting ReadWritePaths.
ProcSubset setting
Harden system and user services by restricting systemd units to access information from the /proc directory with the unit setting ProcSubset.
RestrictAddressFamilies setting
Harden system and user services on Linux by restricting systemd units using only the specified socket address families with setting RestrictAddressFamilies.
ProtectProc setting
Harden system and user services by restricting systemd units to access information from the /proc directory with the unit setting ProtectProc.
ProtectHome setting
Harden system and user services by restricting systemd units to access data in home directories with the unit setting ProtectHome.
ProtectKernelLogs setting
Secure system and user services by restricting systemd units to read or write to the kernel log ring buffer with the unit setting ProtectKernelLogs.
ProtectKernelModules setting
Secure system and user services by restricting systemd units to load kernel modules with the ProtectKernelModules unit setting.
/etc/ssh/ssh_config
The configuration file /etc/ssh/ssh_config contains settings related to the OpenSSH client. Learn more about this file its configuration.
/etc/ssh/sshd_config
The configuration file /etc/ssh/sshd_config contains settings related to the OpenSSH server daemon. Learn more about this file its configuration.