Service Hardening
UMask setting
Harden services by configuring systemd units with a strict umask value using the unit setting UMask.
RestrictRealtime setting
Harden services by restricting systemd units to use realtime scheduling with the unit setting RestrictRealtime.
RestrictSUIDSGID setting
Harden services by restricting systemd units to set the set-user-ID (suid) or set-group-ID (sgid) bit on files with the unit setting RestrictSUIDSGID.
RestrictNamespaces setting
Harden services by restricting systemd units to only specified namespaces with the unit setting RestrictNamespaces.
ProtectKernelTunables setting
Restrict systemd units to access information from the kernel tunables in the /proc and /sys directories with the unit setting ProtectKernelTunables.
LockPersonality setting
Learn how to harden systemd unit by preventing processes and their children from switching their personality, a kernel execution domain, with the LockPersonality setting.
NoNewPrivileges setting
Learn how to harden systemd unit by preventing processes and their children from obtaining new privilege with the NoNewPrivileges setting.
SystemCallArchitectures setting
Harden Linux services using the systemd unit setting SystemCallArchitectures, to restrict access to files in /dev and limit those to common pseudo-devices.
PrivateDevices setting
Harden Linux services using the systemd unit setting PrivateDevices, to restrict access to files in /dev and limit those to common pseudo-devices.
PrivateTmp setting
Learn how to harden systemd units by giving processes their own view on temporary directories /tmp and /var/tmp, preventing possible misuse.
NoExecPaths setting
Harden system services by using the systemd unit settings such as NoExecPaths to disable program execution from specified paths.
ExecPaths setting
Harden system services by using the systemd unit settings such as ExecPaths and NoExecPaths to allow program execution from only specified paths.
ProtectControlGroups setting
Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectControlGroups unit setting.
ProtectSystem setting
Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectSystem unit setting.
ProtectClock setting
Learn how to harden systemd units by limiting access to clock information with the ProtectClock unit setting.
SocketBindAllow setting
Allow systemd units to use system call bind() on sockets specified with the unit setting SocketBindAllow.
SocketBindDeny setting
Restrict systemd units to use system call bind() on sockets specified with the unit setting SocketBindDeny.
DevicePolicy setting
Restrict systemd units to access devices in the /dev directory with the unit setting DevicePolicy.
DeviceAllow setting
Restrict systemd units to access devices in the /dev directory with the unit setting DeviceAllow.
MemoryDenyWriteExecute setting
Block the ability for systemd units to create or alter memory segments to become writable and executable as well with the unit setting MemoryDenyWriteExecute.
InaccessiblePaths setting
Block systemd units to access specified paths with the unit setting InaccessiblePaths.
ReadWritePaths setting
Grant systemd units to specified paths to read from and write to new or existing files with the unit setting ReadWritePaths.
RestrictAddressFamilies setting
Restrict systemd units using only specified socket address families with the unit setting RestrictAddressFamilies.
ProtectProc setting
Restrict systemd units to access information from the /proc directory with the unit setting ProtectProc.
ProtectKernelModules setting
Restrict systemd units to load kernel modules with the ProtectKernelModules unit setting.