To get an overview of the current system:
# systemd-analyze security
You must have Systemd version >= 240 for this to work. Check with systemd-analyze --version. If not... that sucks I guess? I don't know of a way to upgrade without horribly breaking everything.
To see more details about a particular service (such as why it was given the score it was), give it's name to the previous command:
# systemd-analyze security cron
Unit files themselves are located in /usr/lib/systemd/system, but you shouldn't edit those since your changes are likely to get
overwritten with package upgrades. Instead, you should create drop-in files which overlay additional settings on top of the ones
already set in the aforementioned /usr path. These files should go into /etc/systemd/system/<unit>.d/, where <unit> is the
name of the unit to edit.
Edit with sudoedit, preferably. Make backups if you're unsure and ideally apply edits one at a time, restarting the service
each time to make sure it doesn't break the service.
To apply changes, restart the service, and check status:
$ sudo systemctl daemon-reload # applies changes
$ sudo systemctl restart cron # restart the service
$ sudo systemctl status cron # check status to make sure it didn't break
Optionally, you can also do a witch-hunt for typos in a specific file with:
$ sudo systemd-analyze verify lvm2-lvmpolld.service # check validity of the lvm2-lvmpolld.service unit
I'm sure there's lots of improvements that could be made to this setup. I generally avoided tuning settings where I don't know what they do in order to avoid breaking services. This is by no means a complete guide.
This section lists additions only. Additions are in the [Service] section of the config file.
- auditd.service
- colord.service
- cron.service
- cups.service
- rc-local.service
- smartmontools.service
- wpa_supplicant.service
- rsyslog.service
- pcscd.service
- accounts-daemon.service
- systemd-rfkill.service
- lvm2-lvmpolld.service
- iio-sensor-proxy.service
- NetworkManager.service
- rsync.service
- plymouth-start.service
- systemd-fsckd.service
- gdm.service
- apache2.service
- dovecot.service
- mysql.service
Before edit score: 9.6 (I think, from memory)
After edit score: 7.8
PrivateTmp=yes
NoNewPrivileges=true
# had some issues with this line if set to "strict"
ProtectSystem=full
ProtectKernelTunables=yes
ProtectKernelModules=yes
PrivateNetwork=no
PrivateDevices=no
ProtectHostname=yes
RestrictSUIDSGID=yes
ProtectClock=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
Before edit score: 9.6 (I think, from memory)
After edit score: 5.9
PrivateTmp=yes
NoNewPrivileges=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
PrivateDevices=yes
Before edit score: 9.6 (I think, from memory)
After edit score: 6.7
PrivateNetwork=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectSystem=full
RestrictSUIDSGID=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
Before edit score: 9.6 (I think, from memory)
After edit score: 7.4
NoNewPrivileges=yes
PrivateMounts=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictSUIDSGID=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
Before edit score: 9.1 (I think, from memory)
After edit score: 7.2
NoNewPrivileges=yes
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelTunables=yes
ProtectSystem=full
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
Before edit score: 9.6 (I think, from memory)
After edit score: 7.3
PrivateNetwork=yes
NoNewPrivileges=yes
PrivateMounts=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
Before edit score: 9.6 (I think, from memory)
After edit score: 8.4
NoNewPrivileges=true
PrivateMounts=true
PrivateTmp=true
ProtectHome=true
ProtectKernelTunables=true
RestrictSUIDSGID=true
UMask=027
MemoryDenyWriteExecute=true
LockPersonality=true
Before edit score: 9.6
After edit score: 7.2
PrivateNetwork=yes
NoNewPrivileges=yes
PrivateTmp=yes
ProtectClock=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictSUIDSGID=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
# This line makes it break VVV
#PrivateUsers=yes
ProtectHome=yes
UMask=0133
Before edit score: 9.6
After edit score: 6.9
PrivateNetwork=yes
NoNewPrivileges=yes
PrivateMounts=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
RestrictSUIDSGID=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
Before edit score: 9.6
After edit score: 6.6
PrivateNetwork=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictSUIDSGID=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
Before edit score: 9.3
After edit score: 7.2
PrivateNetwork=yes
PrivateMounts=yes
PrivateUsers=yes
ProtectClock=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictSUIDSGID=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
Before edit score: 9.5
After edit score: 7.3
PrivateNetwork=yes
NoNewPrivileges=yes
PrivateUsers=yes
ProtectClock=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
Note: I would recommend against setting PrivateDevices and PrivateMounts on lvmpolld, as by nature LVM works heavily with storage volumes.
Before edit score: 7.5
After edit score: 6.3
PrivateNetwork=yes
NoNewPrivileges=yes
ProtectClock=yes
RestrictSUIDSGID=yes
LockPersonality=yes
ProtectHostname=yes
Before edit score: 7.8
After edit score: 6.8
NoNewPrivileges=yes
PrivateTmp=yes
ProtectClock=yes
ProtectKernelTunables=yes
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
Before edit score: 9.6 (I think, from memory)
After edit score: 7.4
NoNewPrivileges=yes
PrivateTmp=yes
ProtectClock=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
RestrictSUIDSGID=yes
UMask=133
ProtectHostname=yes
PrivateDevices=yes
RestrictRealtime=yes
Before edit score: 9.5
After edit score: 6.4
PrivateNetwork=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateMounts=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictSUIDSGID=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
Before edit score: 9.5
After edit score: 7.0
PrivateNetwork=yes
NoNewPrivileges=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictSUIDSGID=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
DO NOT APPLY THESE CHANGES! They will break your system! I'm not sure why, and keeping this here in the hopes that I one day figure it out.
Before edit score: 9.8
After edit score: 8.4
PrivateNetwork=yes
NoNewPrivileges=yes
PrivateTmp=yes
ProtectKernelTunables=yes
LockPersonality=yes
RestrictRealtime=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
Before edit score: 9.2
After edit score: 7.2
Don't add PrivateUsers here, it causes Apache to crash. Not sure why. Error message states unable to open logs.
NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
PrivateDevices=yes
ProtectHostname=yes
Before edit score: 8.4
After edit score: 7.4
NoNewPrivileges=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
Before edit score: 9.1
After edit score: 6.9
NoNewPrivileges=yes
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
ProtectControlGroups=yes
PrivateUsers=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes