Draft: Contribute selection of systemd hardening parameters

I created a selection of parameters for Systemd unit files to harden the service and grouped them by the estimated complexity to apply.

content/guides/hardening.md

@@ -280,6 +280,19 @@ sandboxing:
 - systemd provides
   [sandboxing functionality](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing)
   which can be used to alter the environment in which the process is run.
+  It is always necessary to do proper testing of the sandboxed application.
+  From the linked set of systemd sandboxing parameters, the following
+  ones are interesting and grouped by the estimated complexity to apply:
+    - No issues expected for most applications: 
+	``ProtectHome``, ``NoNewPrivileges``, ``PrivateTmp``, ``AppArmorProfile``,
+	``ProtectControlGroups``, ``ProtectKernelLogs``,
+	``ProtectKernelTunables``,	``ProtectKernelModules``, ``ProtectSystem``
+	- Better sandboxing capability, but more testing required:
+	``IPAddressAllow``, ``IPAddressDeny``, ``InaccessiblePaths``, 
+	``ReadOnlyPaths``, ``PrivateDevices``, ``LockPersonality``
+	- Very effective sandboxing limitations, but issues are likely: 
+	``SystemCallFilter``, ``RestrictSUIDGID``, ``MemoryDenyWriteExecute``
+
 
 # Network and firewalls