[systemd-devel] Antw: Re: [systemd‑devel] [EXT] Proposal to extend os‑release/machine‑info with field PREFER_HARDENED_CONFIG
Ulrich Windl
Ulrich.Windl at rz.uni-regensburg.de
Thu Feb 17 10:39:38 UTC 2022
>>> Peter Hoeg <peter at hoeg.com> schrieb am 17.02.2022 um 07:07 in Nachricht
<87k0duvvtv.fsf at hoeg.com>:
>>> I think os‑relesase describes the operating system, not policies.
>>
>> You are right. Perhaps machine‑info would be a better fit than os‑release.
>
> To what extent a machine is locked down is a policy choice. There are
> already loads of tools available to manage policy so this really doesn't
> belong here and if you want to ensure that your fleet of machines are locked
> down through something like PREFER_HARDENED_CONFIG=1, you're going to need
> tools to manage *that* anyway. Then why not use the same tool(s) to simply
> manage the machines?
And what exactly should it do? Also: Do you really believe in "one size fits
all" security-wise?
If (at all), then the parameter should be "SECURITY_POLICY=name" (where name
is one of the predefined policies).
And most of all, selecting a different policy does not make it a different
OS.
Regards,
Ulrich Windl
>
> It's 2022 ‑ nobody should be doing this by hand.
More information about the systemd-devel
mailing list