Rootwrap is a security wrapper designed to allow a service-specific
unprivileged user to run a number of actions as the root user in the
safest manner possible mitigating EoP such as when an attacker takes
advantage of a running service with root privileges. The
rootwrap.conf file contains filter definition directories and
specifies command filters to be loaded for them. Since the configuration
file is in the trusted security path, it needs to be owned and writeable
only by the root user to avoid tampering.
On a host Linux machine, enable encryption for a home
directory when creating a privileged user to mitigate information disclosure
threat.
For example, on Ubuntu use the following command:
adduser --encrypt-home
You might want to encrypt not the whole Home directory but only a specific
folder of files. In such case you can use the ~/.Private folder to store
keys and configuration files. The data stored in this folder will be decrypted
when the folder is automatically mounted on logon.