Remote journal logging
Journal messages can be forwarded to remote storage, without using a syslog daemon. The systemd-journal-remote and systemd-journal-upload packages provide receiver and sender daemons. Communication is done over HTTPS.
systemd PrivateDevices
The PrivateDevices setting, when set to "yes", provides a private, minimimal /dev that does not include physical devices. This allows long-running services to have limited access, increasing security.
systemd PrivateNetwork
The PrivateNetwork setting, when set to "yes", provides a private network with only a loopback interface. This allows long-running services that do not require network access to be cut off from the network.