Ripe-atlas.service.d service security hardening?

RIPE Atlas
1

Hi,

I am running Atlas software probe up to date, natively, on an up to date Rpi5 booting DietPi. I wanted to seek some advice in confirming I haven’t borked anything by attempting to harden the ACLs and such of the service. I have done some smoke testing by toggling on/off progressively stricter systemd .conf entries, and disabling entries which cause the service to fail in an obvious way. Now that I’m much happier with the security posture (not a call out, just adding some layers for my own sanity) I’d like to understand if there are any other ways in which a probe can silently fail but otherwise look clean?

Relatively new to RIPE, so if anybody is able to confirm generally, or can review data from my specific probe, I’ll note that I have been running with my hardening for the last 5 weeks. Unhardened before April 4, 2026, hardened after.

$ sudo ./harden-systemd.sh
[*] Target: ripe-atlas.service
[*] Report: /var/log/systemd-security/ripe-atlas.service/2026-05-13_194455Z
[*] Mode: refuse-if-existing
[*] Capturing before posture
[*] Writing drop-ins
[*] Reloading systemd and validating unit
[*] Restarting service
[*] Capturing after posture

============================================================
Result: ripe-atlas.service
============================================================
[+] Service restart: OK
[+] Exposure: before=7.8 after=3.1 improvement=+4.7

Overall after:
→ Overall exposure level for ripe-atlas.service: 3.1 OK 🙂

Top residual exposure:
  0.5   PrivateNetwork=                                   Service has access to the host's network
  0.3   CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)      Service may change UID/GID identities/capabilities
  0.3   RestrictAddressFamilies=~AF_(INET|INET6)          Service may allocate Internet sockets
  0.3   RestrictAddressFamilies=~…                      Service may allocate exotic sockets
  0.2   CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP)  Service may change file ownership/access mode/capabilities unrestricted

Files:
  Summary: /var/log/systemd-security/ripe-atlas.service/2026-05-13_194455Z/summary.txt
  Before:  /var/log/systemd-security/ripe-atlas.service/2026-05-13_194455Z/security-before.txt
  After:   /var/log/systemd-security/ripe-atlas.service/2026-05-13_194455Z/security-after.txt
  Diff:    /var/log/systemd-security/ripe-atlas.service/2026-05-13_194455Z/security-diff.txt
  Journal: /var/log/systemd-security/ripe-atlas.service/2026-05-13_194455Z/journal-after-restart.txt

Rollback:
  sudo rm -rf '/etc/systemd/system/ripe-atlas.service.d'
  sudo systemctl daemon-reload && sudo systemctl restart 'ripe-atlas.service'

[+] Done

I want to confirm this actually plays nice with the system before publishing my steps

Thanks,

Rob