diff --git a/systemd/system.conf.d/service-isolation.conf b/systemd/system.conf.d/service-isolation.conf
new file mode 100644
index 0000000..6edbad8
--- /dev/null
+++ b/systemd/system.conf.d/service-isolation.conf
@@ -0,0 +1,8 @@
+[Service]
+PrivateTmp=true     # Poly-instantiates {/var,}/tmp per service
+PrivateDevices=true # Only exposes API pseudo-devices (/dev/null, zero, random)
+ProtectSystem=full  # Makes /usr, /boot and /etc read-only
+ProtectHome=true    # Prevents access to /home, /root and /run/user
+
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE
+NoNewPrivileges=true
diff --git a/systemd/system/auditd.service.d/override.conf b/systemd/system/auditd.service.d/override.conf
new file mode 100644
index 0000000..ad7372c
--- /dev/null
+++ b/systemd/system/auditd.service.d/override.conf
@@ -0,0 +1,3 @@
+[Service]
+CapabilityBoundingSet=
+NoNewPrivileges=false
diff --git a/systemd/system/cron.service.d/override.conf b/systemd/system/cron.service.d/override.conf
new file mode 100644
index 0000000..d1ce090
--- /dev/null
+++ b/systemd/system/cron.service.d/override.conf
@@ -0,0 +1,2 @@
+[Service]
+ProtectSystem=false
diff --git a/systemd/system/lm-sensors.service.d/override.conf b/systemd/system/lm-sensors.service.d/override.conf
new file mode 100644
index 0000000..225db39
--- /dev/null
+++ b/systemd/system/lm-sensors.service.d/override.conf
@@ -0,0 +1,2 @@
+[Service]
+PrivateDevices=false
diff --git a/systemd/system/multi-user.target.wants/mcstrans.service b/systemd/system/multi-user.target.wants/mcstrans.service
deleted file mode 120000
index ce08528..0000000
--- a/systemd/system/multi-user.target.wants/mcstrans.service
+++ /dev/null
@@ -1 +0,0 @@
-/lib/systemd/system/mcstrans.service
\ No newline at end of file
diff --git a/systemd/system/restorecond.service.d/override.conf b/systemd/system/restorecond.service.d/override.conf
new file mode 100644
index 0000000..ea23c39
--- /dev/null
+++ b/systemd/system/restorecond.service.d/override.conf
@@ -0,0 +1,4 @@
+[Service]
+CapabilityBoundingSet=
+ProtectSystem=true      # restorecond handles files in /etc
+ProtectHome=false       # restorecond handles files in /root
diff --git a/systemd/system/ssh.service.d/override.conf b/systemd/system/ssh.service.d/override.conf
new file mode 100644
index 0000000..ad7372c
--- /dev/null
+++ b/systemd/system/ssh.service.d/override.conf
@@ -0,0 +1,3 @@
+[Service]
+CapabilityBoundingSet=
+NoNewPrivileges=false
diff --git a/systemd/system/sshd.service b/systemd/system/sshd.service
deleted file mode 120000
index 7504947..0000000
--- a/systemd/system/sshd.service
+++ /dev/null
@@ -1 +0,0 @@
-/lib/systemd/system/ssh.service
\ No newline at end of file
diff --git a/systemd/system/syslog.service b/systemd/system/syslog.service
deleted file mode 120000
index c3fe73f..0000000
--- a/systemd/system/syslog.service
+++ /dev/null
@@ -1 +0,0 @@
-/lib/systemd/system/rsyslog.service
\ No newline at end of file