[systemd-devel] [EXT] Proposal to extend os-release/machine-info with field PREFER_HARDENED_CONFIG

Peter Hoeg peter at hoeg.com
Thu Feb 17 06:07:48 UTC 2022


>> I think os-relesase describes the operating system, not policies.
>
> You are right. Perhaps machine-info would be a better fit than os-release.

To what extent a machine is locked down is a policy choice. There are already loads of tools available to manage policy so this really doesn't belong here and if you want to ensure that your fleet of machines are locked down through something like PREFER_HARDENED_CONFIG=1, you're going to need tools to manage *that* anyway. Then why not use the same tool(s) to simply manage the machines?

It's 2022 - nobody should be doing this by hand.


More information about the systemd-devel mailing list