Antw: Re: [systemd‑devel] [EXT] Proposal to extend os‑release/machine‑info with field PREFER_HARDENED_CONFIG

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>>> Peter Hoeg <peter@xxxxxxxx> schrieb am 17.02.2022 um 07:07 in Nachricht
<87k0duvvtv.fsf@xxxxxxxx>:

>>> I think os‑relesase describes the operating system, not policies.
>>
>> You are right. Perhaps machine‑info would be a better fit than os‑release.
> 
> To what extent a machine is locked down is a policy choice. There are 
> already loads of tools available to manage policy so this really doesn't 
> belong here and if you want to ensure that your fleet of machines are locked

> down through something like PREFER_HARDENED_CONFIG=1, you're going to need 
> tools to manage *that* anyway. Then why not use the same tool(s) to simply 
> manage the machines?

And what exactly should it do? Also: Do you really believe in "one size fits
all" security-wise?
If (at all), then the parameter should be "SECURITY_POLICY=name" (where name
is one of the predefined policies).
And most of all, selecting a different policy does not make it a different
OS.

Regards,
Ulrich Windl


> 
> It's 2022 ‑ nobody should be doing this by hand.
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux