diff --git a/at.changes b/at.changes
index 3f3bd4c..fe23fbc 100644
--- a/at.changes
+++ b/at.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Aug 11 08:25:16 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s). Added patch(es):
+  * harden_atd.service.patch
+  Modified:
+  * atd.service
+
 -------------------------------------------------------------------
 Fri Jul 16 09:09:26 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
 
diff --git a/at.spec b/at.spec
index 0322c5d..3b4c797 100644
--- a/at.spec
+++ b/at.spec
@@ -58,6 +58,7 @@ Patch27:        at-3.1.14-usePOSIXtimers.patch
 Patch28:        at-adjust_load_to_cpu_count.patch
 # PATCH-FIX-UPSTREAM bnc#945124 kstreitova@suse.com -- don't loop on corrupt files and prevent their creation
 Patch29:        at-3.1.16-handle_malformed_jobs.patch
+Patch30:        harden_atd.service.patch
 BuildRequires:  autoconf >= 2.69
 BuildRequires:  automake
 BuildRequires:  bison
diff --git a/atd.service b/atd.service
index 9afedc1..980f7a1 100644
--- a/atd.service
+++ b/atd.service
@@ -3,6 +3,19 @@ Description=Deferred execution scheduler
 After=nss-user-lookup.target time-sync.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 ExecStart=/usr/sbin/atd -f
 
 [Install]
diff --git a/harden_atd.service.patch b/harden_atd.service.patch
new file mode 100644
index 0000000..daaf432
--- /dev/null
+++ b/harden_atd.service.patch
@@ -0,0 +1,24 @@
+Index: at-3.2.2/atd.service.in
+===================================================================
+--- at-3.2.2.orig/atd.service.in
++++ at-3.2.2/atd.service.in
+@@ -4,6 +4,19 @@ Documentation=man:atd(8)
+ After=remote-fs.target nss-user-lookup.target
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ ExecStartPre=-find @atjobdir@ -type f -name "=*" -not -newercc /run/systemd -delete
+ ExecStart=@sbindir@/atd -f
+ IgnoreSIGPIPE=false