Feature Request: Profiles / Policy Packs for Pre-defined Rule Bundles

[chetanr25]

Problem

Currently, users must either:

1. Apply all rules at once (syshardn apply --level moderate), or
2. Manually specify individual rule IDs (--rules LNX-001 --rules LNX-002 ...)

This works, but different environments require different hardening approaches:

• A web server needs SSH hardening but not desktop services rules
• A workstation needs screensaver locks but may keep USB storage enabled
• PCI-DSS compliance targets specific controls, not all CIS rules
• A minimal server image needs only kernel/filesystem hardening

Manually assembling rule lists for each scenario is error-prone and hard to share across teams.

Proposed Solution: Profiles (Policy Packs)

A profile is a named bundle of rules + settings that can be applied together with a single command:

Instead of listing 15+ rule IDs...

syshardn apply --profile cis-level1-server

Or combining profiles

syshardn apply --profile web-server --profile pci-compliance

[Aswinr24]

Hey @chetanr25 thanks for sharing the feature idea, this is something I think would improve the practical use case of the tool
We have a few design questions to discuss on though..
To start with how should these profiles be stored and managed?
I was thinking they could be stored as yaml in say ~/.syshardn/profiles/ (Git-friendly and easy to navigate)
Also they should be editable as well
and we would need to support profile creation via CLI( probably have a cli helper wizard, or file base config as well)
Would like to hear your thoughts

[chetanr25]

Thanks! Yeah, storage is definitely something we need to nail down.

~/.syshardn/profiles/ idea looks good actually. Maybe later we could layer it with built-in profiles that ship with the tool for stuff like cis-level1-server or minimal-hardening as starting points.

For v1, maybe we just stick with built-in + user directory and skip the system-wide /etc/ stuff? Would keep things manageable.

On creating profiles, I see two main ways people might want to do it:

One is just editing YAML files directly - power users could just do vim ~/.syshardn/profiles/my-server.yaml and call it done.

The other is a CLI helper, maybe something like syshardn profile create my-profile --include "LNX-2*" --exclude LNX-602 for quick setups.

A full wizard could be cool but probably overkill at first. Maybe start with the one-liner and see if people ask for interactive mode?

Some other commands that might be handy:

syshardn profile list                           
syshardn profile show cis-level1-server     
syshardn profile copy cis-level1-server my-server 

[Aswinr24]

Yeah cli helper wizard might definitely be an overkill considering the support for policy packs already being a big enough addition to the tool
And I think user directory or system wide stuff is also not a thing we should be worried about first, could be a later enhancement
I believe we can go ahead with this approach of storing them in a fixed ~/.syshardn/profiles/ dir, and the two options to create profiles, but we would need a clear template showing an example of the profile creation via YAML files

Also we need to discuss more on what profiles we pack in syshardn by default, but that can also be picked later once the core feature in itself is implemented

[Aswinr24]

You can open an issue for this @chetanr25 — happy to track it as the next step.

For v1, focusing on the core profiles/policy packs feature is probably the right scope: support profiles stored under ~/.syshardn/profiles/ and allow creation either via direct YAML editing(with a documented profile YAML template/skeleton included) or via simple CLI commands

[chetanr25]

Opened issue #12 to track this feature implementation. Appreciate the feedback!