blob: 32cacec510b568328d718bc938dc5d9b1942f6f2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
[Unit]
Description=Scrutiny Server
After=network-online.target
[Service]
Type=simple
User=scrutiny
Group=scrutiny
WorkingDirectory=~
LogsDirectory=scrutiny
StateDirectory=scrutiny
ExecStart=/usr/bin/scrutiny start --config /etc/scrutiny/scrutiny.yaml
Restart=always
RestartSec=10s
NoNewPrivileges=yes
ProtectHome=yes
ProtectSystem=strict
PrivateTmp=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectClock=yes
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
CapabilityBoundingSet=
[Install]
WantedBy=multi-user.target
|