execguard/execguard@.service

[Unit]
# Copyright (c) 2025 Robert Strutts <bobs@NewToFaith.com>
# License: MIT
# GIT: https://git.mysnippetsofcode.com/bobs/execguard 
Description=Executable Guardian for %i
After=network.target
StartLimitIntervalSec=60
StartLimitBurst=3

[Service]
Type=simple
ExecStart=/usr/local/bin/execguard --%i
Restart=on-failure
RestartSec=2
SuccessExitStatus=0 4
RestartForceExitStatus=0 4

# Hardening 
MemoryDenyWriteExecute=true
NoNewPrivileges=true
SystemCallArchitectures=native
RestrictSUIDSGID=yes
RestrictRealtime=yes

[Install]
WantedBy=multi-user.target