twb@heavy:~$ systemd-analyze security alloc.service NAME DESCRIPTION EXPOSURE ✗ PrivateNetwork= Service has access to the host's network 0.5 ✓ User=/DynamicUser= Service runs under a static non-root user identity ✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities ✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges ✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 ✓ RestrictNamespaces=~CLONE_NEWUSER Service cannot create user namespaces ✓ RestrictAddressFamilies=~… Service cannot allocate exotic sockets ✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities ✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks ✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration privileges ✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules ✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access ✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 ✗ IPAddressDeny= Service defines IP address allow list with non-localhost entries 0.1 ✓ KeyringMode= Service doesn't share key material with other services ✓ NoNewPrivileges= Service processes cannot acquire new privileges ✗ NotifyAccess= Service child processes may alter service state 0.2 ✓ PrivateDevices= Service has no access to hardware devices ✓ PrivateMounts= Service cannot install system mounts ✓ PrivateTmp= Service has no access to other software's temporary files ✓ PrivateUsers= Service does not have access to other users ✓ ProtectClock= Service cannot write to the hardware clock or system clock ✓ ProtectControlGroups= Service cannot modify the control group file system ✓ ProtectHome= Service has no access to home directories ✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer ✓ ProtectKernelModules= Service cannot load or read kernel modules ✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …) ✗ ProtectProc= Service has full access to process tree (/proc hidepid=) 0.2 ✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy ✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets ✓ RestrictSUIDSGID= SUID/SGID file creation by service is restricted ✓ SystemCallArchitectures= Service may execute system calls only with native ABI ✓ SystemCallFilter=~@clock System call allow list defined for service, and @clock is not included ✓ SystemCallFilter=~@debug System call allow list defined for service, and @debug is not included ✓ SystemCallFilter=~@module System call allow list defined for service, and @module is not included ✓ SystemCallFilter=~@mount System call allow list defined for service, and @mount is not included ✓ SystemCallFilter=~@raw-io System call allow list defined for service, and @raw-io is not included ✓ SystemCallFilter=~@reboot System call allow list defined for service, and @reboot is not included ✓ SystemCallFilter=~@swap System call allow list defined for service, and @swap is not included ✗ SystemCallFilter=~@privileged System call allow list defined for service, and @privileged is included (e.g. chown is… 0.2 ✓ SystemCallFilter=~@resources System call allow list defined for service, and @resources is not included ✓ AmbientCapabilities= Service process does not receive ambient capabilities ✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access ✓ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes ✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes ✓ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no elevated networking privileges ✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging ✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters ✓ RestrictNamespaces=~CLONE_NEWCGROUP Service cannot create cgroup namespaces ✓ RestrictNamespaces=~CLONE_NEWIPC Service cannot create IPC namespaces ✓ RestrictNamespaces=~CLONE_NEWNET Service cannot create network namespaces ✓ RestrictNamespaces=~CLONE_NEWNS Service cannot create file system namespaces ✓ RestrictNamespaces=~CLONE_NEWPID Service cannot create process namespaces ✓ RestrictRealtime= Service realtime scheduling access is restricted ✓ SystemCallFilter=~@cpu-emulation System call allow list defined for service, and @cpu-emulation is not included ✓ SystemCallFilter=~@obsolete System call allow list defined for service, and @obsolete is not included ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 ✓ RootDirectory=/RootImage= Service has its own root directory/image ✓ SupplementaryGroups= Service has no supplementary groups ✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC ✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot() ✓ Delegate= Service does not maintain its own delegated control group subtree ✓ LockPersonality= Service cannot change ABI personality ✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings ✓ RemoveIPC= Service user cannot leave SysV IPC objects around ✓ RestrictNamespaces=~CLONE_NEWUTS Service cannot create hostname namespaces ✓ UMask= Files created by service are accessible only by service's own user by default ✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable ✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM ✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot() ✓ ProtectHostname= Service cannot change system host/domainname ✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks ✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases ✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct() ✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup() ✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 ✓ ProcSubset= Service has no access to non-process /proc files (/proc subset=) → Overall exposure level for alloc.service: 1.4 OK :-) twb@heavy:~$ systemd-analyze security nginx.service NAME DESCRIPTION EXPOSURE ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ User=/DynamicUser= Service runs as root user 0.4 ✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capabilities 0.3 ✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges ✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 ✓ RestrictNamespaces=~CLONE_NEWUSER Service cannot create user namespaces ✓ RestrictAddressFamilies=~… Service cannot allocate exotic sockets ✗ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service may change file ownership/access mode/capabilities unrestricted 0.2 ✗ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service may override UNIX file/IPC permission checks 0.2 ✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration privileges ✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules ✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access ✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 ✗ IPAddressDeny= Service does not define an IP address allow list 0.2 ✓ KeyringMode= Service doesn't share key material with other services ✗ NoNewPrivileges= Service processes may acquire new privileges 0.2 ✓ NotifyAccess= Service child processes cannot alter service state ✓ PrivateDevices= Service has no access to hardware devices ✓ PrivateMounts= Service cannot install system mounts ✓ PrivateTmp= Service has no access to other software's temporary files ✗ PrivateUsers= Service has access to other users 0.2 ✓ ProtectClock= Service cannot write to the hardware clock or system clock ✓ ProtectControlGroups= Service cannot modify the control group file system ✗ ProtectHome= Service has read-only access to home directories 0.1 ✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer ✓ ProtectKernelModules= Service cannot load or read kernel modules ✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …) ✗ ProtectProc= Service has full access to process tree (/proc hidepid=) 0.2 ✗ ProtectSystem= Service has limited write access to the OS file hierarchy 0.1 ✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets ✗ RestrictSUIDSGID= Service may create SUID/SGID files 0.2 ✓ SystemCallArchitectures= Service may execute system calls only with native ABI ✓ SystemCallFilter=~@clock System call allow list defined for service, and @clock is not included ✓ SystemCallFilter=~@debug System call allow list defined for service, and @debug is not included ✓ SystemCallFilter=~@module System call allow list defined for service, and @module is not included ✓ SystemCallFilter=~@mount System call allow list defined for service, and @mount is not included ✓ SystemCallFilter=~@raw-io System call allow list defined for service, and @raw-io is not included ✓ SystemCallFilter=~@reboot System call allow list defined for service, and @reboot is not included ✓ SystemCallFilter=~@swap System call allow list defined for service, and @swap is not included ✗ SystemCallFilter=~@privileged System call allow list defined for service, and @privileged is included (e.g. chown is… 0.2 ✓ SystemCallFilter=~@resources System call allow list defined for service, and @resources is not included ✓ AmbientCapabilities= Service process does not receive ambient capabilities ✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access ✓ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes ✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes ✗ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1 ✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging ✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters ✓ RestrictNamespaces=~CLONE_NEWCGROUP Service cannot create cgroup namespaces ✓ RestrictNamespaces=~CLONE_NEWIPC Service cannot create IPC namespaces ✓ RestrictNamespaces=~CLONE_NEWNET Service cannot create network namespaces ✓ RestrictNamespaces=~CLONE_NEWNS Service cannot create file system namespaces ✓ RestrictNamespaces=~CLONE_NEWPID Service cannot create process namespaces ✓ RestrictRealtime= Service realtime scheduling access is restricted ✓ SystemCallFilter=~@cpu-emulation System call allow list defined for service, and @cpu-emulation is not included ✓ SystemCallFilter=~@obsolete System call allow list defined for service, and @obsolete is not included ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 SupplementaryGroups= Service runs as root, option does not matter ✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC ✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot() ✓ Delegate= Service does not maintain its own delegated control group subtree ✓ LockPersonality= Service cannot change ABI personality ✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings RemoveIPC= Service runs as root, option does not apply ✓ RestrictNamespaces=~CLONE_NEWUTS Service cannot create hostname namespaces ✗ UMask= Files created by service are world-readable by default 0.1 ✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable ✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM ✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot() ✗ ProtectHostname= Service may change system host/domainname 0.1 ✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks ✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases ✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct() ✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup() ✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 ✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1 → Overall exposure level for nginx.service: 3.2 OK :-)