First idea to contribute selection of systemd hardening parameters.

content/guides/hardening.md

@@ -280,6 +280,18 @@ sandboxing:
 - systemd provides
   [sandboxing functionality](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing)
   which can be used to alter the environment in which the process is run.
+  From the linked set of systemd sandboxing options, the following
+  are interesting and grouped by complexity to apply:
+    - Try first: ``ProtectHome``, 
+	``NoNewPrivileges``, ``PrivateTmp``, ``AppArmorProfile``,
+	``ProtectControlGroups``, ``ProtectKernelLogs``, ``ProtectKernelTunables``,
+	``ProtectKernelModules``, ``ProtectSystem``
+	- Better sandboxing, but more testing required: ``InaccessiblePaths``,
+	``ReadOnlyPaths``, ``PrivateDevices``, ``LockPersonality``
+	- Hard to apply: ``SystemCallFilter``, 
+	``RestrictSUIDGID``, ``MemoryDenyWriteExecute``
+
+  It is always necessary to do properly testing of the sandboxed application.
 
 # Network and firewalls