=== modified file 'mandos.service'
--- mandos.service	2016-10-30 21:08:05 +0000
+++ mandos.service	2017-08-20 14:14:14 +0000
@@ -28,6 +28,8 @@
 ProtectSystem=full
 ProtectHome=yes
 CapabilityBoundingSet=CAP_KILL CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_NET_RAW
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
 
 [Install]
 WantedBy=multi-user.target