Systemd service sandboxing and security hardening (2020)

Systemd enable services to run with a whole suite of hardening and sandboxing features from the Linux kernel. Here's how to get a quick security review of the services running on your system and how to go about hardening their security. In this article, I'll focus on sandboxing access to the file system as a simple introduction to systemd service security hardening. The systemd service security review tool was added in version 240 You'll need to be running that or a later version to follow along with this article. Run the systemd-analyze security command to get a security audit of all your systemd services. Service 9.6 UNSAFE. The exposure score is entirely based on a service's utilization of security features provided by systemd. NAME DESCRIPTION EXPOSURE PrivateDevices Service potentially has access to hardware devices 0.2 PrivateTmp Service has no access to other software's temporary files ProtectControlGroups Service may modify to the control group file system 0.2 ProtectHome Service has full access to home directories 0.2 ProtectKernelTunables Service may alter kernel tunables 0.2 ProtectSystem Service has full access to the OS file hierarchy 0.2 RestrictSUIDSGID Service may create SUID/SGID files 0.2 RootDirectory Service runs within the host's root directory 0.1 Overall exposure level for httpd.