1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
[Unit]
Description=System monitoring daemon
Documentation=man:mon(8)
After=network.target
[Service]
User=mon
ExecStart=/usr/sbin/mon
IgnoreSIGPIPE=false
KillMode=process
RestartSec=2
Restart=always
# due to the wide variety of use cases this may not be sufficient.
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_ADMIN CAP_SYS_RESOURCE
SystemCallFilter=~@cpu-emulation @debug @raw-io @reboot @swap @module @obsolete @clock
ProtectClock=true
ProtectKernelLogs=true
ProtectKernelModules=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
RestrictNamespaces=true
RestrictSUIDSGID=true
ProtectHostname=true
LockPersonality=true
ProtectKernelTunables=true
RestrictRealtime=true
ProtectHome=true
PrivateTmp=true
UMask=077
ProtectControlGroups=true
[Install]
WantedBy=multi-user.target
|
