[Unit]
Description=Verify integrity of password and group files
After=systemd-sysusers.service

[Service]
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
# Always run both checks, but fail the service if either fails
ExecStart=/bin/sh -c '/usr/bin/pwck -qr || r=1; /usr/bin/grpck -r && exit $r'
Nice=19
IOSchedulingClass=best-effort
IOSchedulingPriority=7
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictSUIDSGID=yes
RestrictRealtime=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@resources
SystemCallFilter=~@privileged
UMask=0077