diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
index 72b028f2..b3aa7aa2 100644
--- a/examples/chrony-wait.service
+++ b/examples/chrony-wait.service
@@ -16,32 +16,5 @@ TimeoutStartSec=180
 RemainAfterExit=yes
 StandardOutput=null
 
-CapabilityBoundingSet=
-DevicePolicy=closed
-DynamicUser=yes
-IPAddressAllow=localhost
-IPAddressDeny=any
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-PrivateDevices=yes
-PrivateUsers=yes
-ProcSubset=pid
-ProtectClock=yes
-ProtectControlGroups=yes
-ProtectHome=yes
-ProtectHostname=yes
-ProtectKernelLogs=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-ProtectProc=invisible
-ProtectSystem=strict
-RestrictAddressFamilies=AF_INET AF_INET6
-RestrictNamespaces=yes
-RestrictRealtime=yes
-SystemCallArchitectures=native
-SystemCallFilter=@system-service
-SystemCallFilter=~@privileged @resources
-UMask=0777
-
 [Install]
 WantedBy=multi-user.target
diff --git a/examples/chronyd.service b/examples/chronyd.service
index 4fb930ef..289548cb 100644
--- a/examples/chronyd.service
+++ b/examples/chronyd.service
@@ -10,40 +10,9 @@ Type=forking
 PIDFile=/run/chrony/chronyd.pid
 EnvironmentFile=-/etc/sysconfig/chronyd
 ExecStart=/usr/sbin/chronyd $OPTIONS
-
-CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
-CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
-CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
-CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
-CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
-DeviceAllow=char-pps rw
-DeviceAllow=char-ptp rw
-DeviceAllow=char-rtc rw
-DevicePolicy=closed
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
 PrivateTmp=yes
-ProcSubset=pid
-ProtectControlGroups=yes
 ProtectHome=yes
-ProtectHostname=yes
-ProtectKernelLogs=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-ProtectProc=invisible
-ProtectSystem=strict
-ReadWritePaths=/run /var/lib/chrony -/var/log
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
-RestrictNamespaces=yes
-RestrictSUIDSGID=yes
-SystemCallArchitectures=native
-SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
-
-# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
-NoNewPrivileges=no
-ReadWritePaths=-/var/spool
-RestrictAddressFamilies=AF_NETLINK
+ProtectSystem=full
 
 [Install]
 WantedBy=multi-user.target