All posts

9 posts · Linux & scripting

Sandboxing Linux services with systemd security directivesTurn a plain unit file into a locked-down sandbox with ProtectSystem, NoNewPrivileges, and capability limits.Mar 10, 2026 · 11 minAdvancedlinuxsystemdLinux capabilities: dropping root the right waySplit root into fine-grained capabilities, drop everything you don't need, and stop running containers as full root.Dec 30, 2025 · 9 minIntermediatelinuxcapabilitiesBash strict mode: writing ops scripts that fail loudlyset -euo pipefail is the start, not the whole story. Traps, quoting, and safe temp files for scripts that run as root.Oct 28, 2025 · 6 minBeginnerbashlinuxRootless Docker and why containers shouldn't run as rootRun the Docker daemon and your containers as a non-root user so a container escape lands unprivileged, plus the subuid, cgroups, and storage gotchas.Oct 7, 2025 · 9 minIntermediatedockerrootlessSELinux on OpenShift: stop chmod 777-ing your way outRead AVC denials, write a targeted policy module, and keep SCCs strict instead of granting privileged.Aug 19, 2025 · 11 minAdvancedopenshiftselinuxSSH hardening: keys, ciphers, and CA-signed certificatesDisable passwords, pick modern ciphers, and issue SSH certificates so you stop managing authorized_keys by hand.Aug 5, 2025 · 9 minIntermediatesshlinuxFrom iptables to nftables: a practical migrationTranslate your ruleset to nftables' cleaner syntax and sets, and run both during the cutover without lockouts.May 20, 2025 · 11 minAdvancedlinuxnftablesAuditd rules that matter for complianceWatch the files and syscalls auditors actually ask about, tune rules by key, and keep signal high without drowning auditd in noise nobody reads.Dec 17, 2024 · 9 minIntermediateauditdlinuxCentralized logging with journald and rsyslogMake the journal persistent, forward it to a central host, and keep logs you can actually search after an incident.Oct 8, 2024 · 7 minBeginnerjournaldrsyslog