File nsd.service of Package nsd
[Unit] Description=NSD DNS Server After=syslog.target network.target [Service] Type=simple PIDFile=/run/nsd/nsd.pid ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf ExecStopPost=/bin/rm -f /var/lib/nsd/xfrd.state User=_nsd Group=_nsd # added automatically, for details please see # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ProtectSystem=full ProtectHome=true PrivateDevices=true ProtectHostname=true ProtectClock=true ProtectKernelTunables=true ProtectKernelModules=true ProtectKernelLogs=true ProtectControlGroups=true RestrictRealtime=true # end of automatic additions # even more hardening options CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK PrivateTmp=yes NoNewPrivileges=yes MountFlags=private LockPersonality=yes KeyringMode=private RestrictNamespaces=yes RestrictSUIDSGID=yes DevicePolicy=closed MemoryDenyWriteExecute=yes SystemCallArchitectures=native SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete @resources @pkey [Install] WantedBy=multi-user.target




