Increased sandboxing and permission-limiting for selected services.
These are working sandboxing/security override.conf files for systemd services to reduce what they are allowed to do without breaking their normal functions. I selected services I understand and interact with the outside world. I went down the big systemd man page considering every option that applied. Sometimes I had to back-out options when they stopped the service from working.
I hope these are useful for some other people.
Some services, like atd and crond let users/programs run arbitrary commands. I locked down those services to what the service itself needs plus what the commands I run to need. So you might need to change those.
The CGI, PHP, etc scripts that your installation of Apache runs need to be allowed too.
This are override files -- in general an override.conf file can override (replace) any unit option but here I have only added sandbox/security options. Do NOT modify the .unit file that came with the package. Instead do:
systemctl edit <service>
You'll be placed in the Nano editor. From there you can paste in this supplied override.conf file Use Control-X to save.
Tell systemd to reload:
systemctl daemon-reload
Restart the service
systemctl restart <service>
Test it and look at its logs. A first easy check:
systemctl status <service>
And look at the "State:" line. It should say "State: running".
Look at:
systemd-analyze security <service>
to see the improved score.
More info https://unix.stackexchange.com/questions/398540/how-to-override-systemd-unit-file-settings