To what extent a machine is locked down is a policy choice. There are
already loads of tools available to manage policy so this really doesn't
belong here and if you want to ensure that your fleet of machines are locked
down through something like PREFER_HARDENED_CONFIG=1, you're going to need
tools to manage *that* anyway. Then why not use the same tool(s) to simply
manage the machines?
And what exactly should it do?
I'm sorry, but what is "it" in this context?
Also: Do you really believe in "one size fits all" security-wise?
Of course not. I think distributions should be providing sane defaults and
everything else is a policy decision that whoever is responsible for a
particular machine would then implement using one of the many tools that
already exist.
If (at all), then the parameter should be "SECURITY_POLICY=name" (where name
is one of the predefined policies).
One of the ideas behind the systemd project was to provide plumbing for all
distributions that would provide some level of standardization and each
distribution not having to reinvent the wheel.
Introducing something like SECURITY_POLICY=woot which inevitably would mean
different things from distribution to distribution and even from package to
package within a distribution doesn't seem like it would further that goal.
And most of all, selecting a different policy does not make it a different OS.
For sure, but I don't quite see which point you're trying to make.
