While what you’re saying is theoretically true, don’t forget that as far as I know, most attacks are perpetrated by bots. And while it is true that in a fedora based version one could run ostree admin unlock etc… this particular command would need to be included in the attack script.

Now if the script has to be modified to include all possible different immutable systems that could possibly run it would increase the complexity and most importantly the size of said script making it easier to detect.

I’m not saying that its a bulletproof method, I’m just saying that by itself it greatly minimizes the risk, at least until all servers run immutable systems. And even then it still complicates matters for potential attackers quite a bit. So therefore reducing or at least greatly minimizing the potential of the system being compromised.

Thank you for the tip. Unless my understanding is wrong both OS are similar, Coreos targeting more precisely Kubernetes and cluster management. Had a quick look, but definitively will read more about it.

Thank you, good to know. Not as straightforward as directly installing distro but certainly worth considering.

As to why it reduces attack surface please see answer provided to other comment.

Because even if an attacker could gain access even as root he cannot modify system files. This is why immutable OS distros are called immutable.

This runs a combination of both. Been using this for years and works like magic