Harden systemd service files
I just ran a lynis audit and now it also contains systemd-analyze security reports of all system service files.
NetworkManager gets a orange EXPOSED rating. Running systemd-analyze security NetworkManager.service
will get you why.
Although some options cannot be restricted, as NetworkManager needs them, others might not be necessary. One example I looked at is ProtectClock=
, and a syscall filter is easy to set up there as well.
In this sense this is a meta-issue that may stay open indefinitely. Hope you get the score to MEDIUM or below :)