Skip to content

Instantly share code, notes, and snippets.

@kanna5

kanna5/systemd_common_security.md

Created October 9, 2020 09:46
Show Gist options
  • Save kanna5/783ade12501c80a4e31ff67999421113 to your computer and use it in GitHub Desktop.
Save kanna5/783ade12501c80a4e31ff67999421113 to your computer and use it in GitHub Desktop.
Download ZIP
Common security options for systemd service units
Raw
systemd_common_security.md

For RHEL 8 / Newer versions of systemd

ProtectSystem=strict
ProtectHome=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
NoNewPrivileges=yes
PrivateTmp=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes

Option to allow read/write access to specific paths

ReadWritePaths=

Specify multiple ReadWritePaths= for multiple paths, or specify multiple paths in one ReadWritePaths=, separated by space, optionally quoted in double quotes.

For RHEL 7 / Older versions of systemd

ProtectSystem=full
ProtectHome=yes
PrivateDevices=yes
NoNewPrivileges=yes
PrivateTmp=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK

Option to allow read/write access to specific paths

ReadWriteDirectories=

Ref: https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
Ref: https://www.redhat.com/sysadmin/mastering-systemd
Ref: https://www.redhat.com/sysadmin/systemd-secure-services

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment