This would be fine but depending on the service itself the hardening strategy will be different. That’s why I think using set of “profiles” that will define some knobs would be useful.
As someone maintaining a systemd unit, you would have to ask some questions:
- does it run as root? no, use profile run-as-user that will turn on: NoNewPrivileges / ProtectKernelLogs / ProtectKernelModules / ProtectKernelTunables / ProtectProc / RestrictSUIDSGID …
- does it do network? no, use profile no-network that will turn on: PrivateNetwork
- does it need to read all FS files? no? then enable PrivateUsers / PrivateTmp / ProtectSystem / ProtectProc …
then, define harden = [ run-as-user no-network no-fs ];