Skip to content

Instantly share code, notes, and snippets.

@timothyklim
Forked from fionn/hardened.service
Created January 21, 2021 14:42
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save timothyklim/c481981ee13a2da206ea774d5f982645 to your computer and use it in GitHub Desktop.
Save timothyklim/c481981ee13a2da206ea774d5f982645 to your computer and use it in GitHub Desktop.
An example secure systemd unit file
[Unit]
Description=Some internet-facing service
After=network.target
[Service]
Type=simple
WorkingDirectory=...
EnvironmentFile=...
ExecStart=...
DynamicUser=true
PrivateDevices=true
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
SystemCallArchitectures=native
LockPersonality=true
MemoryDenyWriteExecute=true
InaccessiblePaths=/dev /boot
RestrictRealtime=true
PrivateMounts=true
MountFlags=private
PrivateUsers=true
UMask=0777
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
CapabilityBoundingSet=
AmbientCapabilities=
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
ProtectKernelLogs=true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment