On Wed, Feb 22, 2017 at 12:26 PM, Bryan Drewery <[email protected]> wrote: ... > I concur. > In the original review for adding this I predicted today would come, > https://reviews.freebsd.org/D6826. I still think that it is very > under-designed and under-thought out. > > I personally agree with hardening my system, but I have a number of > issues with this approach: > > 1. It makes *1 installation* method do hardening, while every other > installation method, and *upgrade* methods not do hardening. So someone > upgrading from 11.0 to 12.0 won't get hardening, but someone installing > from bsdinstall for 12.0 fresh will get it. There should not be a > distinction between our installation/upgrade methods like this. > > 2. It ignores that FreeBSD is *generic Operating System* that serves > many workflows. Developers want all of this off, System Administrators > want all of it on, and Desktop users may want a compromise of half of it > to allow various drivers to work (not pointing at any specific sysctl > right now). > > I think what is really needed is a system profile that lets you pick the > workflow you are going to use the system for, and then set some > reasonable defaults from there. We will never all agree on the same > defaults because we all are using the systems differently, but we can > find some compromise if we make Use Cases, such as a System Profile > would entail. > > I too would like to see this backed out.
(Piggybacking on this thread) Silly question -- can all of these knobs please default to off and have a global knob, like securelevel..? Fine grained security is great, but it's really cumbersome tweaking everything properly if you don't need a set property. Otherwise we end up with similar complexity to Windows Group Policies (which is good, but also hell to wade through and thus requires MSDNAA training). Thanks, -Ngie _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "[email protected]"
