| Dir : /lib/systemd/portable/profile/strict/ |
| Server: Linux server1.ngambekcore.com 4.18.0-553.51.1.el8_10.x86_64 #1 SMP Wed Apr 30 04:00:07 EDT 2025 x86_64 IP: 159.198.77.92 |
| Dir : //lib/systemd/portable/profile/strict/service.conf |
# The "strict" security profile for services, all options turned on [Service] MountAPIVFS=yes TemporaryFileSystem=/run BindReadOnlyPaths=/run/systemd/notify BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout BindReadOnlyPaths=/etc/machine-id DynamicUser=yes RemoveIPC=yes CapabilityBoundingSet= PrivateTmp=yes PrivateDevices=yes PrivateUsers=yes ProtectSystem=strict ProtectHome=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectControlGroups=yes RestrictAddressFamilies=AF_UNIX LockPersonality=yes NoNewPrivileges=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes SystemCallFilter=@system-service SystemCallErrorNumber=EPERM SystemCallArchitectures=native PrivateNetwork=yes IPAddressDeny=any TasksMax=4