[systemd-devel] Proposal to extend os-release/machine-info with field PREFER_HARDENED_CONFIG

[Wol]

On 16/02/2022 17:11, Stefan Schröder wrote:
>> I must say, I am very sure that the primar focus should always be on
>> locking things down as well as we can for*everyone*  and as
>> *default*.

> Yes, that'd be nice, but I don't think it's realistic. Having an opt-in via the proposed mechanism, it would be much easier to suggest alternative 'hardenend' configurations upstream if they didn't mess up the old defaults.
> 
I'm having loads of trouble at work at present - everything is locked 
down tight because of GDPR and £Millions in fines if things go wrong.

There's no way I'm going to lock my home system down like that. What's 
the saying - the securest system is locked in a safe with no 
connectivity (and totally unusable :-). There is a very strong trade-off 
between "secure" and "usable", and different people have different 
tolerances for friction.

For me, passwd/shadow is more than secure enough - learning pam is too 
much effort/hassle for too little gain. For work, it's LDAP/2FA - 
mistakes and breaches are costly.

All that's being asked for here is some way of telling the system where 
on the usable/secure spectrum the computer should be configured. As I'm 
fond of saying, one size does NOT fit all ...

Cheers,
Wol