Add config validation option

[juju4]

as best practice, executable should have a test/dry-run option to test configuration (syntax and working execution)

Something that can be used for example in ansible template deployment to ensure not deploying broken config
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html#parameter-validate

[kesheldr]

Okay, if you give us a concrete example of how that could work then I can add that to the list.

[juju4]

My main usage is ansible (or any provisioners/CI/CD) but valid for manual admin work too unless blindly deploying.

- name: Copy a new sudoers file into place, after passing validation with visudo
  ansible.builtin.template:
    src: /mine/sudoers
    dest: /etc/sudoers
    validate: /usr/sbin/visudo -cf %s

In my current ansible role, I have

- name: Configure sysmon
  template:
    src: "{{ sysmon_template }}"
    dest: /opt/sysmon/config.xml
    mode: '600'
    backup: "{{ sysmon_backup | default('yes') }}"
  notify:
    - restart sysmon

no validate option native to sysmon.
I could put a xmllint check to validate file is valid xml, eventually test against sysmon dtd (but not available in current package)
this could include also self-check like permissions issue (ssh keys or log target not writable but here more read config, write log file, can load ebpf rules...), dry-run few seconds in foreground to validate can collect few events...

Another example for the systemd hardening, for most tools, I need to run over time to validate work without impact (and supposing relevant activities happen during this...). The more complete the validate/dry-run/self-test is, the easier it can be done.