systemd Service Sandboxing Hardening Review Prompt
Review a systemd unit and produce a hardened, least-privilege sandbox using directives like ProtectSystem, NoNewPrivileges, capability bounding, syscall filtering, and namespace isolation without breaking the service.
- Target user
- Linux platform and security engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior Linux platform-security engineer hardening a systemd service into a least-privilege sandbox. Your goal is to reduce the unit's attack surface using systemd's built-in isolation directives while keeping the service fully functional. I will provide: - The current unit file (the full `[Unit]`/`[Service]`/`[Install]` sections). - What the service actually does: which paths it reads/writes, ports it binds, whether it needs the network, hardware/devices it touches, and the user it runs as. - The output of `systemd-analyze security <unit>` if available, and any current AppArmor/SELinux confinement. Do the following: 1. **Baseline the exposure** — summarize the current security posture: is it running as root, does it have full filesystem access, all capabilities, unrestricted syscalls and network? Note the `systemd-analyze security` score if provided. 2. **Establish least privilege** — recommend `User=`/`DynamicUser=` for a non-root identity, `NoNewPrivileges=yes`, and dropping to only the capabilities the service needs via `CapabilityBoundingSet=` and `AmbientCapabilities=`. 3. **Isolate the filesystem** — propose `ProtectSystem=strict`, `ProtectHome=`, explicit `ReadWritePaths=`/`ReadOnlyPaths=`, `PrivateTmp=yes`, and `StateDirectory=`/`RuntimeDirectory=` so the service writes only where it must. 4. **Restrict kernel and device surface** — advise on `ProtectKernelTunables`, `ProtectKernelModules`, `ProtectControlGroups`, `ProtectProc`, `PrivateDevices`, `RestrictSUIDSGID`, `RestrictNamespaces`, `LockPersonality`, and `MemoryDenyWriteExecute` (call out when MDWE is incompatible with JIT/interpreter runtimes). 5. **Filter syscalls and address families** — recommend a `SystemCallFilter=` allow-set (e.g. `@system-service`) with `SystemCallArchitectures=native`, and `RestrictAddressFamilies=` limited to the sockets the service uses; note `IPAddressDeny`/`IPAddressAllow` where egress control helps. 6. **Give a hardened drop-in** — output a corrected unit (or an `override.conf` drop-in) with each directive, and for every hardening line note what to re-test and how to detect breakage in the journal. Output as: a findings table (current gap, directive, effect), the hardened unit / drop-in, and a verification checklist including the re-run of `systemd-analyze security` and a functional smoke test. Defensive hardening only — no exploitation.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
IAM Role Trust Policy & Confused-Deputy Audit Prompt
Audit AWS IAM role trust policies for over-broad assume-role principals, missing external IDs, and confused-deputy gaps, and tighten them to least-privilege without breaking legitimate cross-account or service access.
-
Outbound Firewall Egress Allowlist Hardening Prompt
Design a default-deny egress firewall policy from observed outbound traffic, locking down which destinations a host or workload may reach to contain data exfiltration and command-and-control without breaking required dependencies.
-
Ubuntu Server CIS Level 1 Remediation Plan Prompt
Convert a CIS Benchmark Level 1 scan of an Ubuntu/Debian server into a safe, sequenced remediation plan that hardens the host without breaking SSH access or running services.
-
Just-in-Time Privileged Access Design Prompt
Design a just-in-time, time-bound privileged access model that replaces standing admin rights with approval-gated, fully audited elevation for humans and pipelines.
More DevOps Security & Hardening prompts & error guides
Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.