On Friday, December 8, 2023 11:23:29 AM EST Zbigniew Jędrzejewski-Szmek wrote: > But yeah, there'll always be a few "special" files. But that's fine, > we have mechanisms to handle those. For the other 99%, we should > move them out of /etc. The problem is that there would need to be a standard that all upstream authors agree on. There are some like systemd which have a [SECTION_NAME] followed by config items. Others do not make sections. What if the config is in yaml, json, or XML? How can you see the end result? We would need to have a standard library that everyone can use. From that, we need a utility to compile the actual configuration that would be consumed by the service so we can inspect it during troubleshooting. Without this, security scanners are going to have a hard time determining what the security posture of a system is. And the Security Content everywhere will need to be changed, STIG, Common Criteria, CIS, USGCB, etc. Some of these are very opinionated about the file permissions. Something would have to check all files everywhere that make up a configuration. Again, security scanners are not going to like this. So, the library would also probably need to be able report all permissions used or set all permissions used. And then there is the SE Linux labeling... There would probably need to be some written standard on how to assess the system security posture in this kind of world. This way tools can be adjusted using the standards. -Steve -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
