Hardening domain

Services & systemd

Every running service is attack surface. This domain disables what you don't need and sandboxes what you do with systemd directives — ProtectSystem, PrivateTmp, capability bounding, and syscall filters.

Sandboxing systemd Services to Cut Attack Surface
Enumerate, disable, score and sandbox systemd units with drop-ins to shrink the attack surface of every Linux service you run.

All posts in this series

Sandboxing systemd Services to Cut Attack Surface

Enumerate, disable, score and sandbox systemd units with drop-ins to shrink the attack surface of every Linux service you run.

4/15/2026

systemdservicessandboxingattack-surface