diff --git a/system/security/default.nix b/system/security/default.nix
index b64158cd..8fb9e2c8 100644
--- a/system/security/default.nix
+++ b/system/security/default.nix
@@ -18,6 +18,13 @@
       packages = [pkgs.apparmor-profiles];
     };
   };
+  # credits: poz
+  fileSystems = let
+    defaults = ["nodev" "nosuid" "noexec"];
+  in {
+    "/boot".options = defaults;
+    "/var/log".options = defaults;
+  };
   boot = {
     blacklistedKernelModules = [
       # Obscure network protocols