Skip to content

Instantly share code, notes, and snippets.

@fionn
Last active January 21, 2021 14:42
Show Gist options
  • Save fionn/88b6c400cd3ce0dc20ca8d043494b999 to your computer and use it in GitHub Desktop.
Save fionn/88b6c400cd3ce0dc20ca8d043494b999 to your computer and use it in GitHub Desktop.
An example secure systemd unit file
[Unit]
Description=Some internet-facing service
After=network.target
[Service]
Type=simple
WorkingDirectory=...
EnvironmentFile=...
ExecStart=...
DynamicUser=true
PrivateDevices=true
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
SystemCallArchitectures=native
LockPersonality=true
MemoryDenyWriteExecute=true
InaccessiblePaths=/dev /boot
RestrictRealtime=true
PrivateMounts=true
MountFlags=private
PrivateUsers=true
UMask=0777
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
CapabilityBoundingSet=
AmbientCapabilities=
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
ProtectKernelLogs=true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment