I am currently running the following hardening settings:
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProcSubset=pid
ProtectSystem=strict
StateDirectory=quassel
LogsDirectory=quassel
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallFilter=@system-service
CapabilityBoundingSet=
p.s.:
Additionally I am also building quassl with Control Flow Integrity
enabled, see
https://salsa.debian.org/qt-kde-team/extras/quassel/-/merge_requests/12
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)