diff --git a/doc/test_protect.service b/doc/test_protect.service
new file mode 100644
index 0000000..93865b6
--- /dev/null
+++ b/doc/test_protect.service
@@ -0,0 +1,55 @@
+[Unit]
+Description=TEST
+
+[Service]
+Type=oneshot
+ExecStart=/opt/test
+
+DynamicUser=yes
+UMask=077
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes # DevicePolicy=closed
+PrivateNetwork=yes
+IPAddressDeny=any
+PrivateUsers=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=none
+RestrictFileSystems=ext4 tmpfs zfs
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+PrivateMounts=yes
+SystemCallFilter=~@swap
+SystemCallFilter=~@resources
+SystemCallFilter=~@reboot
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@privileged
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@mount
+SystemCallFilter=~@module
+SystemCallFilter=~@debug
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@clock
+CapabilityBoundingSet=
+ProtectProc=invisible
+ProcSubset=pid
+NoNewPrivileges=yes
+SystemCallArchitectures=native
+
+ReadOnlyPaths=/
+
+NoExecPaths=/
+ExecPaths=/opt/test /bin/bash /lib
+
+[Install]
+WantedBy=multi-user.target
diff --git a/doc/test_protect_2.service b/doc/test_protect_2.service
new file mode 100644
index 0000000..a1c1bef
--- /dev/null
+++ b/doc/test_protect_2.service
@@ -0,0 +1,55 @@
+[Unit]
+Description=TEST
+
+[Service]
+Type=oneshot
+ExecStart=/opt/test
+
+# user
+UMask=077
+DynamicUser=yes
+PrivateUsers=yes
+RestrictSUIDSGID=yes
+NoNewPrivileges=yes
+LockPersonality=yes
+RemoveIPC=yes
+
+# fs
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectProc=invisible
+ProcSubset=pid
+PrivateMounts=yes
+RestrictFileSystems=ext4 tmpfs zfs
+
+NoExecPaths=/
+ExecPaths=/opt/test /bin /lib /lib64 /usr
+
+TemporaryFileSystem=/var
+TemporaryFileSystem=/var
+
+# network
+IPAddressDeny=any
+RestrictAddressFamilies=none
+
+# syscall
+SystemCallArchitectures=native
+SystemCallFilter=~@swap ~@resources ~@reboot ~@raw-io ~@privileged ~@obsolete ~@mount ~@module ~@debug ~@cpu-emulation ~@clock
+
+# else
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+CapabilityBoundingSet=
+
+[Install]
+WantedBy=multi-user.target
diff --git a/doc/test_temp.service b/doc/test_temp.service
new file mode 100644
index 0000000..9bc0b4b
--- /dev/null
+++ b/doc/test_temp.service
@@ -0,0 +1,54 @@
+[Unit]
+Description=TEST
+
+[Service]
+Type=oneshot
+ExecStart=/opt/test
+
+TemporaryFileSystem=/
+
+BindReadOnlyPaths=/opt/test /bin /lib /lib64 /usr
+
+
+
+UMask=077
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+IPAddressDeny=any
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=none
+RestrictFileSystems=ext4 tmpfs zfs
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+PrivateMounts=yes
+SystemCallFilter=~@swap
+SystemCallFilter=~@resources
+SystemCallFilter=~@reboot
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@privileged
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@mount
+SystemCallFilter=~@module
+SystemCallFilter=~@debug
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@clock
+CapabilityBoundingSet=
+ProtectProc=invisible
+ProcSubset=pid
+NoNewPrivileges=yes
+SystemCallArchitectures=native
+
+
+[Install]
+WantedBy=multi-user.target
diff --git a/libs/systemd.py b/libs/systemd.py
index 421dbb0..e72fdcf 100644
--- a/libs/systemd.py
+++ b/libs/systemd.py
@@ -41,3 +41,52 @@ def generate_unitfile(data):
         data=dict(sorted(data.items(), key=segment_order)),
         order=order
     ).lstrip()
+
+# wip
+def protection():
+    return {
+        # user
+        'UMask': '077',
+        'DynamicUser': 'yes',
+        'PrivateUsers': 'yes',
+        'RestrictSUIDSGID': 'yes',
+        'NoNewPrivileges': 'yes',
+        'LockPersonality': 'yes',
+        'RemoveIPC': 'yes',
+
+        # fs
+        'ProtectSystem': 'strict',
+        'ProtectHome': 'yes',
+        'PrivateTmp': 'yes',
+        'PrivateDevices': 'yes',
+        'ProtectProc': 'invisible',
+        'ProcSubset': 'pid',
+        'PrivateMounts': 'yes',
+        'RestrictFileSystems': {'ext4', 'tmpfs', 'zfs'},
+
+        'NoExecPaths': {'/'},
+        'ExecPaths': {'/bin', '/sbin', '/lib', '/lib64', '/usr'},
+
+        'TemporaryFileSystem': {'/var'},
+
+        # network
+        'IPAddressDeny': 'any',
+        'PrivateNetwork': 'yes',
+        'RestrictAddressFamilies': 'none',
+
+        # syscall
+        'SystemCallArchitectures': 'native',
+        'SystemCallFilter': '~@swap @resources @reboot @raw-io @privileged @obsolete @mount @module @debug @cpu-emulation @clock',
+
+        # else
+        'ProtectHostname': 'yes',
+        'ProtectClock': 'yes',
+        'ProtectKernelTunables': 'yes',
+        'ProtectKernelModules': 'yes',
+        'ProtectKernelLogs': 'yes',
+        'ProtectControlGroups': 'yes',
+        'RestrictNamespaces': 'yes',
+        'MemoryDenyWriteExecute': 'yes',
+        'RestrictRealtime': 'yes',
+        'CapabilityBoundingSet': '',
+    }