[systemd-devel] Proposal to extend os-release/machine-info with field PREFER_HARDENED_CONFIG
Wol
antlists at youngman.org.uk
Wed Feb 16 21:32:40 UTC 2022
On 16/02/2022 17:11, Stefan Schröder wrote:
>> I must say, I am very sure that the primar focus should always be on
>> locking things down as well as we can for*everyone* and as
>> *default*.
> Yes, that'd be nice, but I don't think it's realistic. Having an opt-in via the proposed mechanism, it would be much easier to suggest alternative 'hardenend' configurations upstream if they didn't mess up the old defaults.
>
I'm having loads of trouble at work at present - everything is locked
down tight because of GDPR and £Millions in fines if things go wrong.
There's no way I'm going to lock my home system down like that. What's
the saying - the securest system is locked in a safe with no
connectivity (and totally unusable :-). There is a very strong trade-off
between "secure" and "usable", and different people have different
tolerances for friction.
For me, passwd/shadow is more than secure enough - learning pam is too
much effort/hassle for too little gain. For work, it's LDAP/2FA -
mistakes and breaches are costly.
All that's being asked for here is some way of telling the system where
on the usable/secure spectrum the computer should be configured. As I'm
fond of saying, one size does NOT fit all ...
Cheers,
Wol
More information about the systemd-devel
mailing list