Hardening systemd
It is possible to harden systemd services adding restrictions to file access, syscalls, network and more. The command:
$ systemd-analyze security <service>
---------
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ User=/DynamicUser= Service runs as root user 0.4
✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capabilities 0.3
✗ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has administrator privileges 0.3
✗ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has ptrace() debugging abilities 0.3
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
...
→ Overall exposure level for xxx.service: 9.6 UNSAFE 😨
Returns the status for every directive with a final security score. In the systemd documentation you can find information about all directives.