diff --git a/units/systemd-report-sign-plain@.service.in b/units/systemd-report-sign-plain@.service.in
index 7778239d78a..f084b33d9f2 100644
--- a/units/systemd-report-sign-plain@.service.in
+++ b/units/systemd-report-sign-plain@.service.in
@@ -19,3 +19,32 @@ WantsMountsFor=/var/lib/systemd/report.sign.plain
 StateDirectory=systemd/report.sign.plain
 StateDirectoryMode=0700
 ExecStart={{LIBEXECDIR}}/systemd-report-sign-plain
+CapabilityBoundingSet=
+DeviceAllow=
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateIPC=yes
+PrivateNetwork=yes
+PrivateTmp=disconnected
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RuntimeMaxSec=5min
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0077