Service Hardening

RuntimeDirectoryMode setting

Harden system and user services by configuring systemd units with more strict file permissions using the unit setting RuntimeDirectoryMode.

UMask setting

Harden system and user services by configuring systemd units with a strict umask value using the unit setting UMask. Learn how to configure it in your units.

RestrictRealtime setting

Harden system and user services on Linux by restricting systemd units to use realtime scheduling with the unit setting RestrictRealtime.

RestrictSUIDSGID setting

Harden services by restricting systemd units to set the set-user-ID (suid) or set-group-ID (sgid) bit on files with the unit setting RestrictSUIDSGID.

RestrictNamespaces setting

Harden system and user services on Linux by restricting systemd units to only use specified namespaces with the unit setting RestrictNamespaces.

ProtectKernelTunables setting

Restrict systemd units to access information from the kernel tunables in the /proc and /sys directories with the unit setting ProtectKernelTunables.

LockPersonality setting

Learn how to harden systemd units by preventing processes from switching their personality (kernel execution domain) with the LockPersonality setting.

NoNewPrivileges setting

Learn how to harden systemd unit by preventing processes and their children from obtaining new privilege with the NoNewPrivileges setting.

SystemCallArchitectures setting

Harden Linux services using the systemd unit setting SystemCallArchitectures, to restrict access to files in /dev and limit those to common pseudo-devices.

PrivateDevices setting

Harden Linux services using the systemd unit setting PrivateDevices, to restrict access to files in /dev and limit those to common pseudo-devices.

PrivateTmp setting

Learn how to harden systemd units by giving processes their own view on temporary directories /tmp and /var/tmp, preventing possible misuse.

NoExecPaths setting

Harden system services by using the systemd unit settings such as NoExecPaths to disable program execution from specified paths.

ExecPaths setting

Harden system services by using the systemd unit settings such as ExecPaths and NoExecPaths to allow program execution from only specified paths.

ProtectControlGroups setting

Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectControlGroups unit setting.

ProtectSystem setting

Learn how to harden systemd units by marking some paths within the file system as read-only with the ProtectSystem unit setting.

ProtectClock setting

Harden system and user services by restricting systemd units to access clock information with the ProtectClock unit setting.

SocketBindAllow setting

Harden system and user services by allowing systemd units to only use system call bind() on sockets specified with the unit setting SocketBindAllow.

SocketBindDeny setting

Harden system and user services by restricting systemd units to use system call bind() on sockets specified with the unit setting SocketBindDeny.

DevicePolicy setting

Harden system and user services on Linux by restricting systemd units to access devices in the /dev directory with the unit setting DevicePolicy.

DeviceAllow setting

Restrict systemd units to access devices in the /dev directory with the unit setting DeviceAllow. Learn how to configure it for your services.

MemoryDenyWriteExecute setting

Block the ability for systemd units to create or alter memory segments to become writable and executable as well with the unit setting MemoryDenyWriteExecute.

InaccessiblePaths setting

Harden system and user services on Linux by limiting systemd units to access specified paths with the unit setting InaccessiblePaths.

ReadWritePaths setting

Harden system and user services on Linux by allowing systemd units access to only the specified paths to read or write with the unit setting ReadWritePaths.

RestrictAddressFamilies setting

Harden system and user services on Linux by restricting systemd units using only the specified socket address families with setting RestrictAddressFamilies.

ProtectProc setting

Harden system and user services by restricting systemd units to access information from the /proc directory with the unit setting ProtectProc.

ProtectKernelModules setting

Secure system and user services by restricting systemd units to load kernel modules with the ProtectKernelModules unit setting.