Techly NewsGet the app

Get the latest tech news

SystemD Service Hardening


Discover additional security options for systemd units, to include quadlets. These options are everything from system permissions, time manage, BPF, syscall & seccomp filters, etc., all to make your system more secure.

This doc though is meant to provide a snapshot of a number of hardening options that you can apply to systemd service units and podman quadlets to increase the overall security posture and reduce both the likelihood of compromise, as well as the blast radius post-exploitation. And yes, for all the Stallman incarnates out there, I understand that Linux is a kernel and GNU corelibs and userspace all unite in some unholy ceremony to make a usable operating system. AmbientCapabilities AppArmorProfile CapabilityBoundingSet DeviceAllow DynamicUser Group InaccessiblePaths IPAddressAllow IPAddressDeny LockPersonality MemoryDenyWriteExecute NoExecPaths NoNewPrivileges PrivateDevices PrivateIPC PrivateNetwork PrivateTmp PrivateUsers ProcSubset ProtectClock ProtectControlGroups ProtectHome ProtectHostname ProtectKernelLogs ProtectKernelModules ProtectKernelTunables ProtectProc ProtectSystem ReadOnlyPaths ReadWritePaths RemoveIPC RestrictAddressFamilies RestrictFileSystems RestrictNamespaces RestrictNetworkInterfaces RestrictRealtime RestrictSUIDSGID AmbientCapabilities SocketBindAllow SupplementaryGroups SystemCallArchitectures SystemCallFilter TemporaryFileSystem UMask User

Get the Android app

Or read this on Hacker News

Read more on:

Photo of systemd

systemd

Photo of Service Hardening

Service Hardening

Related news:

News photo

First release candidate of systemd 258 is here

News photo

Systemd has been a complete, utter, unmitigated success

News photo

Gnome introducing stronger dependencies on systemd

« Does the Google Pixel 10 Pro Fold support Qi2 magnetic charging?
Airbus A320 Poised to Overtake Boeing 737 as Most-Delivered Commercial Airliner »