Systemd provides powerful security features that can sandbox services with minimal effort. By adding a few directives to your unit files, you significantly limit the damage an exploited service can cause to the rest of the system.
Key Hardening Directives
ProtectSystem=strict makes the entire filesystem read-only except for paths you explicitly allow with ReadWritePaths. PrivateTmp gives the service its own /tmp directory, preventing it from accessing or modifying temporary files created by other services.
NoNewPrivileges=true prevents the service and its children from gaining additional privileges through setuid binaries or capability escalation. Combined with CapabilityBoundingSet, you restrict the service to only the Linux capabilities it genuinely requires.
Use systemd-analyze security to audit your service units. This tool scores each service's security exposure on a scale from safe to unsafe, identifying specific directives you can add to improve the hardening level. Target a score below 5.0 for internet-facing services.