I’d like to address the bugs found first, as that seems easy and to simplify this discussion.
- [!] │ │ ├── pkexec.security-misc (shared) (useful on desktop and server, however lxqt-sudo won’t be present on a server, but pkexec may be used on a server. Resolve by allowing the use of sudo.)
Fixed by deleting this legacy leftover file.
- [!] │ │ ├── disable-kernel-module-loading (shared) (useful on desktop and server, BUT SOMEHOW ISN’T SET EXECUTABLE???)
Fixed.
* [!] │ ├── dkms (none) (see files below)
* [!] │ │ └── framework.conf.d (none) (see files below)
* [!] │ │ └── 30_security-misc.conf (none) (should be moved out of security-isc)
- [!] │ │ │ ├── panic-on-oops.service (shared) (useful on desktop and server, systemd config looks invalid with a conflict between WantedBy and After)
Fixed.
* [x] │ │ ├── install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc (shared) (ancient, obsolete, TYPO'D - THIS SHOULD BE BASE, NOT BASES)
Fixed.
All bugs should have been addressed.
Server? Could also be a home server with a GUI?
- │ │ ├──
glib-compile-schemas /usr/share/glib-2.0/schemas || true
(desktop) (glib-compile-schemas is of no use on a server)
No use but also no harm? So just keep as is for simplicity? Also a remote server might have a GUI.
- │ ├── security-misc.gconf-defaults (desktop) (nautilus won’t be present on a server)
Similar as above. Doesn’t harm and useful if a GUI is used on the server.
* [x] │ ├── bluetooth (desktop) (all subfiles are desktop)
* [x] │ │ └── 30_security-misc.conf (desktop) (bluez should only be present on desktops)
But if on a server, this config does not harm, even useful?
* [x] │ │ ├── 25_default_whitelist_hardened_malloc.conf (server) (desktops don't use hardened-malloc)
We actually did but Hardened Malloc is nowadays deprecated in Kicksecure.
* [x] │ │ ├── 25_default_whitelist_postfix.conf (server) (desktops shouldn't run postfix)
The primary defense for desktops would be not installing postfix then? But then postfix might be installed thorugh a Depends:
, or Recommends:
. In that case, indeed, best if not whitelisted.
* [x] │ │ ├── 25_default_whitelist_spice.conf (desktop) (only desktops need USB passthrough with SPICE)
SPICE over network to server?
I guess I would tend to keep as much shared as possible. The more remains shared, the less migration work there will be.
The file per file analysis is a great approach!