From 2082ccb5b52ad0363427167afc50ff554fe3c5a8 Mon Sep 17 00:00:00 2001
From: Mateo <mdm@athelas.fr>
Date: Tue, 30 Jul 2024 14:44:15 +0200
Subject: [PATCH] Hardened systemd unit (4.8 score)

---
 files/usertwist.service | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/files/usertwist.service b/files/usertwist.service
index 17cd2d9..ea45de5 100644
--- a/files/usertwist.service
+++ b/files/usertwist.service
@@ -5,6 +5,16 @@ Description=Simple Web Service
 User=usertwist
 Group=usertwist
 ExecStart=/usr/local/bin/usertwist
+PrivateTmp=yes
+NoNewPrivileges=true
+RestrictNamespaces=uts ipc pid user cgroup
+ProtectSystem=strict
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+PrivateDevices=yes
+RestrictSUIDSGID=true
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
\ No newline at end of file