PS: the hardening bit also works as a dropin, i.e. you can put it into /etc/systemd/system/nslcd.service.d/hardening.conf and the rest of the unit remains auto-generated from /etc/init.d/nslcd.
Trent W. Buck wrote: > # nslcd listens to /run/nslcd/socket and creates /run/nslcd/nslcd.pid. > # We can tell systemd about this. > RuntimeDirectory=nslcd > WorkingDirectory=/run/nslcd > > > # Additional security lockdown (optional). > # $ systemd-analyze security nslcd: > # → Overall exposure level for nslcd.service: 1.2 OK 🙂 > [Service] > CapabilityBoundingSet= > RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 > DevicePolicy=closed > NoNewPrivileges=yes > PrivateDevices=yes > PrivateTmp=yes > PrivateUsers=yes > ProtectClock=yes > ProtectControlGroups=yes > ProtectHome=yes > ProtectKernelLogs=yes > ProtectKernelModules=yes > ProtectKernelTunables=yes > ProtectProc=invisible > ProtectSystem=strict > RestrictSUIDSGID=yes > SystemCallArchitectures=native > SystemCallFilter=@system-service > # We can't drop @privileged because we fail with: > # nslcd: wait_for_response(): read_response() returned 0 (expected 4) > # nslcd: unable to daemonize: No data available > #SystemCallFilter=~@privileged > SystemCallFilter=~@resources > RestrictNamespaces=yes > RestrictRealtime=yes > LockPersonality=yes > MemoryDenyWriteExecute=yes > RemoveIPC=yes > UMask=0077 > ProtectHostname=yes > ProcSubset=pid