Date: Wed, 22 Feb 2017 14:46:12 -0800 From: Ngie Cooper <yaneurabeya@gmail.com> To: Bryan Drewery <bdrewery@freebsd.org> Cc: Alexey Dokuchaev <danfe@freebsd.org>, Eric Badger <badger@freebsd.org>, Bartek Rutkowski <robak@freebsd.org>, "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "svn-src-head@freebsd.org" <svn-src-head@freebsd.org> Subject: Re: svn commit: r314036 - head/usr.sbin/bsdinstall/scripts Message-ID: <CAGHfRMC8dAu%2BYiGh%2BXLa4nRtjh2pgURK8MEt5_7U97fr7QDGYA@mail.gmail.com> In-Reply-To: <6550638c-a629-bf5e-65e0-672cfd125f73@FreeBSD.org> References: <201702210937.v1L9bY6V093836@repo.freebsd.org> <28a4cf5e-2edd-3e30-9ecd-817f886e9ea3@FreeBSD.org> <20170221144002.GA87822@FreeBSD.org> <20170222070733.GA29010@ymer.vnode.se> <6550638c-a629-bf5e-65e0-672cfd125f73@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 22, 2017 at 12:26 PM, Bryan Drewery <bdrewery@freebsd.org> wrote: ... > I concur. > In the original review for adding this I predicted today would come, > https://reviews.freebsd.org/D6826. I still think that it is very > under-designed and under-thought out. > > I personally agree with hardening my system, but I have a number of > issues with this approach: > > 1. It makes *1 installation* method do hardening, while every other > installation method, and *upgrade* methods not do hardening. So someone > upgrading from 11.0 to 12.0 won't get hardening, but someone installing > from bsdinstall for 12.0 fresh will get it. There should not be a > distinction between our installation/upgrade methods like this. > > 2. It ignores that FreeBSD is *generic Operating System* that serves > many workflows. Developers want all of this off, System Administrators > want all of it on, and Desktop users may want a compromise of half of it > to allow various drivers to work (not pointing at any specific sysctl > right now). > > I think what is really needed is a system profile that lets you pick the > workflow you are going to use the system for, and then set some > reasonable defaults from there. We will never all agree on the same > defaults because we all are using the systems differently, but we can > find some compromise if we make Use Cases, such as a System Profile > would entail. > > I too would like to see this backed out. (Piggybacking on this thread) Silly question -- can all of these knobs please default to off and have a global knob, like securelevel..? Fine grained security is great, but it's really cumbersome tweaking everything properly if you don't need a set property. Otherwise we end up with similar complexity to Windows Group Policies (which is good, but also hell to wade through and thus requires MSDNAA training). Thanks, -Ngie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGHfRMC8dAu%2BYiGh%2BXLa4nRtjh2pgURK8MEt5_7U97fr7QDGYA>