I am writing a systemd service file for fai-monitor (8). This daemon listens on a single port, receives TCP connections, and writes a single log file with interesting information.

To reduce the attack surface on the system, the service should be run with the least privileges possible. Following the advice on options for hardening systemd service units, I came up with this service file:

[Unit]
Description=FAI Monitor Daemon

[Service]
Type=simple
ExecStart=/usr/sbin/fai-monitor -l /run/fai-monitor/fai-monitor.log
DynamicUser=true
RuntimeDirectory=fai-monitor
RuntimeDirectoryMode=755

MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateTmp=true
PrivateUsers=true
ProtectHome=true

ProtectSystem=strict
PrivateDevices=true
ProtectKernelTunables=true
ProtectControlGroups=true

RestrictAddressFamilies=AF_INET AF_INET6
RestrictRealtime=true

TasksMax=16
MemoryHigh=10M

SystemCallFilter=~@mount @debug @privileged

While this seems to be quite restrictive, the service file is relatively verbose.

Are there any other means to restrict a service to the least possible set of privileges? In particular, something like RestrictEverything=true would be interesting with subsequent whitelisting of allowed ressources.