PS: one thing "systemd-analyze security" doesn't cover AT ALL is service denial attacks.
For example, one day I mounted a backup drive (full of snapshots) on /mnt instead of /media, and the overnight mlocate updatedb cron job tried to scan it, flushing all the real disk's blocks from the page cache (thereby measurably reducing performance for everything else on the system). See also: 0) The systemd reference is systemd.resource-control(5), but it's a reference rather than a howto/guide/example. 1) # These are equivalent to "nice ionice -c3 chrt --idle 0". I think. --twb, Jun 2016 [Service] Nice=10 IOSchedulingClass=idle CPUSchedulingPolicy=idle I habitually add these to anything that I think of as an "overnight background job". Pretty much anything fired by cron or a .timer. 2) mlocate uses "nocache" (an LD_PRELOAD hack that adds FADV_DONTNEED to I/O syscalls). The nocache homepage (https://github.com/Feh/nocache) suggests on "modern" systems with cgroup v1 support, to set a per-unit memory limit instead. I *think* under modern systemd, with cgroups v2, you actually do something like MemoryHigh=128M Which doesn't set a memory *limit*, but it helps the page cache replacement algorithm decide which pages should be evicted first. These articles explain that nocache (or equivalent) is needed as workaround because Linux's current heuristics are old and crufty: https://linux-mm.org/AdvancedPageReplacement https://linux-mm.org/PageReplacementDesign UNFORTUNATELY, I do not yet have enough experience to know what is a "reasonable" MemoryHigh= number to set for a given unit. systemd has memory accounting, but unlike CPU or network accounting, when the unit ends, it will not report the "peak" memory usage. Instead, you have to poll systemd-cgls (or possibly systemctl show) while the unit is running, to see the point-in-time value. You can also shove /usr/bin/time in front of the command to see *a* peak memory value, but (I think?) that doesn't include the page cache (cache of HDD blocks in RAM). $ /usr/bin/time gzip -k tmp.txt … (… 1368maxresident)k