Hardened systemd unit (4.8 score)

2024-07-30 14:44:15 +02:00
parent 5ebad367b4
commit 2082ccb5b5
1 changed files with 11 additions and 1 deletions
--- a/files/usertwist.service
+++ b/files/usertwist.service
@@ -5,6 +5,16 @@ Description=Simple Web Service
 User=usertwist
 Group=usertwist
 ExecStart=/usr/local/bin/usertwist
+PrivateTmp=yes
+NoNewPrivileges=true
+RestrictNamespaces=uts ipc pid user cgroup
+ProtectSystem=strict
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+PrivateDevices=yes
+RestrictSUIDSGID=true

 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target