Harden Linux system services by restricting systemd units with the SecureBits setting, which enables special behavior related to Linux capabilities.
Sandboxing
Articles about Sandboxing
Harden Linux system services by restricting systemd units to remove any Inter-Process Communication (IPC) objects are a service is stopped.
Harden services on Linux with systemd unit setting PrivateUsers. It defines a new user namespace for the service and provides process capability isolation.
Harden services on Linux by using the systemd unit setting KeyringMode, which defines if the kernel session keyring information is available to the service.
Harden Linux system services by restricting systemd units to change the hostname or NIS domain name of the system with the unit setting ProtectHostname.
Harden system and user services on Linux by allowing systemd units to access only the specified paths with read permissions using the unit setting ReadOnlyPaths.
Harden Linux services by restricting systemd units to access the network interfaces of the host system using the PrivateNetwork unit setting.
Harden services on Linux by using the systemd unit setting PrivatePIDs, which allows running a service in its private PID namespace.
Firejail is a tool to sandbox applications to restrict what they can do. It is a useful tool to limit the risk on privilege escalation and exploits.
Harden system and user services by configuring systemd units with more strict file permissions using the unit setting RuntimeDirectoryMode.
Harden system and user services by configuring systemd units with a strict umask value using the unit setting UMask. Learn how to configure it in your units.
Harden system and user services on Linux by restricting systemd units to use realtime scheduling with the unit setting RestrictRealtime.
Harden services by restricting systemd units to set the set-user-ID (suid) or set-group-ID (sgid) bit on files with the unit setting RestrictSUIDSGID.
Harden system and user services on Linux by restricting systemd units to only use specified namespaces with the unit setting RestrictNamespaces.
Improve the security of services by defining what Linux capabilities are allowed with the help of systemd unit setting CapabilityBoundingSet.
Restrict systemd units to access information from the kernel tunables in the /proc and /sys directories with the unit setting ProtectKernelTunables.
Learn how to harden systemd unit by preventing processes and their children from obtaining new privilege with the NoNewPrivileges setting.
Harden Linux services using the systemd unit setting SystemCallArchitectures, to restrict access to files in /dev and limit those to common pseudo-devices.
Learn how to harden systemd units by giving processes their own view on temporary directories /tmp and /var/tmp, preventing possible misuse.
Harden system services by using the systemd unit settings such as ExecPaths and NoExecPaths to allow program execution from only specified paths.
Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectControlGroups unit setting.
Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectSystem unit setting.
Harden system and user services by restricting systemd units to access clock information with the ProtectClock unit setting.
Harden system and user services by allowing systemd units to only use system call bind() on sockets specified with the unit setting SocketBindAllow.
Harden system and user services by restricting systemd units to use system call bind() on sockets specified with the unit setting SocketBindDeny.
Harden system and user services on Linux by restricting systemd units to access devices in the /dev directory with the unit setting DevicePolicy.
Restrict systemd units to access devices in the /dev directory with the unit setting DeviceAllow. Learn how to configure it for your services.
Harden system and users services, by defining if they are allowed to use specific syscalls or groups, with the use of systemd unit setting SystemCallFilter.
Block the ability for systemd units to create or alter memory segments to become writable and executable as well with the unit setting MemoryDenyWriteExecute.
Harden system and user services on Linux by limiting systemd units to access specified paths with the unit setting InaccessiblePaths.
Harden system and user services on Linux by allowing systemd units access to only the specified paths to read or write with the unit setting ReadWritePaths.
Harden system and user services by restricting systemd units to access information from the /proc directory with the unit setting ProcSubset.
Harden system and user services on Linux by restricting systemd units using only the specified socket address families with setting RestrictAddressFamilies.
Harden system and user services by restricting systemd units to access information from the /proc directory with the unit setting ProtectProc.
Harden system and user services by restricting systemd units to access data in home directories with the unit setting ProtectHome.
Secure system and user services by restricting systemd units to read or write to the kernel log ring buffer with the unit setting ProtectKernelLogs.
Secure system and user services by restricting systemd units to load kernel modules with the ProtectKernelModules unit setting.