You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
783 B
783 B
execguard.service:
[Unit]
Description=Executable Guardian for %I
After=network.target
StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
ExecStart=/usr/local/bin/execguard --%I
Restart=on-failure
RestartSec=2
SuccessExitStatus=0 4
RestartForceExitStatus=0 4
# Hardening
MemoryDenyWriteExecute=true
NoNewPrivileges=true
SystemCallArchitectures=native
RestrictSUIDSGID=yes
RestrictRealtime=yes
# ReadWritePaths=/etc/execguard
#ProtectProc=invisible
#ProtectSystem=no
#LockPersonality=no
#PrivateDevices=no
#ProtectKernelModules=no
#ProtectKernelTunables=no
#ProtectControlGroups=no
#ProtectClock=yes
#ProtectHostname=yes
#RestrictNamespaces=yes
#DevicePolicy=closed
#PrivateNetwork=no Don't enable!
#PrivateTmp=false Don't enable!
[Install]
WantedBy=multi-user.target