CME-709

systemd Service Sandboxing (PrivateDevices, PrivateTmp, ProtectSystem)

Isolate OS/Kernel High Confidence

Description

systemd unit directives that sandbox services: PrivateDevices removes device access, PrivateTmp isolates /tmp, ProtectSystem=strict makes / read-only, ProtectHome=true hides /home.

CVSS Vector Impacts

Metric Transition Rationale
Scope (S) C U Service isolated from host filesystem, devices, and user data
Confidentiality (C) H L Cannot access user home directories or arbitrary devices
Integrity (I) H L Cannot modify system files outside designated directories

CWE Relationships

CWE-269 CWE-284

Verification

Check systemd unit for sandbox directives

$ systemctl show <service> -p ProtectSystem,PrivateTmp,PrivateDevices,ProtectHome
# Expected: ProtectSystem=strict
Platform: linux
← CME-708: Least Privilege sudo Configuration CME-710: DynamicUser (systemd) →