Automatic systemd service hardening guided by strace profiling.
See this article for an introduction.
Official repository - Mirror repository
Strace needs to be installed and available in the path. Strace version >=6.4 is strongly recommended.
You need a Rust build environment for example from rustup.
cargo build --release
install -Dm 755 -t /usr/local/bin target/release/shh
See GitHub releases for Debian packages built for each tagged version.
Arch Linux users can install the shh AUR package.
To harden a system unit named SERVICE.service:
- Start service profiling:
shh service start-profile SERVICE. The service will be restarted with strace profiling. - Use the service normally for a while, trying to cover as much features and use cases as possible.
- Run
shh service finish-profile SERVICE -a. The service will be restarted with a hardened configuration built from previous runtime profiling, to allow it to run safely as was observed during the profiling period, and to deny other dangerous system actions.
Run shh -h for full command line reference, or append -h to a subcommand to get help.
Services running in per-user instances of the service manager (controlled via systemctl --user ...) are not supported.