Is it possible the harden services (e.g. Samba) using Systemd parameters etc. from a vanilla config file? Or do the services have to be patched “upstream”?
something like systemd.services.samba.serviceConfig.ProtectSystem = true, where the service to be hardened is samba.service. You can check the result with systemctl cat samba.service. serviceConfig accepts all stanzas that can go inside [Service] in the service file.
3 Likes