[systemd-devel] Antw: Re: [systemd‑devel] [EXT] Proposal to extend os‑release/machine‑info with field PREFER_HARDENED_CONFIG

[Peter Hoeg]

>> To what extent a machine is locked down is a policy choice. There are
>> already loads of tools available to manage policy so this really doesn't
>> belong here and if you want to ensure that your fleet of machines are locked
>> down through something like PREFER_HARDENED_CONFIG=1, you're going to need
>> tools to manage *that* anyway. Then why not use the same tool(s) to simply
>> manage the machines?
>
> And what exactly should it do?

I'm sorry, but what is "it" in this context?

> Also: Do you really believe in "one size fits all" security-wise?

Of course not. I think distributions should be providing sane defaults and everything else is a policy decision that whoever is responsible for a particular machine would then implement using one of the many tools that already exist.

> If (at all), then the parameter should be "SECURITY_POLICY=name" (where name
> is one of the predefined policies).

One of the ideas behind the systemd project was to provide plumbing for all distributions that would provide some level of standardization and each distribution not having to reinvent the wheel.

Introducing something like SECURITY_POLICY=woot which inevitably would mean different things from distribution to distribution and even from package to package within a distribution doesn't seem like it would further that goal.

> And most of all, selecting a different policy does not make it a different OS.

For sure, but I don't quite see which point you're trying to make.