Author: jsuchome Date: Wed Apr 30 13:58:33 2008 New Revision: 47218 URL: http://svn.opensuse.org/viewcvs/yast?rev=47218&view=rev Log: - new defaults in security levels (bnc#385159): CWD_IN_ROOT_PATH, CWD_IN_USER_PATH always "no", ENABLE_SYSRQ "yes" for Home Workstation RUN_UPDATEDB_AS always "nobody" OBSCURE_CHECKS_ENAB, PASSWD_USE_CRACKLIB always "yes" - 2.16.1 Modified: trunk/security/VERSION trunk/security/package/yast2-security.changes trunk/security/src/levels.ycp trunk/security/testsuite/tests/Level1.out trunk/security/testsuite/tests/Level2.out trunk/security/testsuite/tests/Level3.out Modified: trunk/security/VERSION URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/VERSION?rev=47218&r1... ============================================================================== --- trunk/security/VERSION (original) +++ trunk/security/VERSION Wed Apr 30 13:58:33 2008 @@ -1 +1 @@ -2.16.0 +2.16.1 Modified: trunk/security/package/yast2-security.changes URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/package/yast2-security.c... ============================================================================== --- trunk/security/package/yast2-security.changes (original) +++ trunk/security/package/yast2-security.changes Wed Apr 30 13:58:33 2008 @@ -1,4 +1,14 @@ ------------------------------------------------------------------- +Wed Apr 30 13:07:33 CEST 2008 - jsuchome@suse.cz + +- new defaults in security levels (bnc#385159): + CWD_IN_ROOT_PATH, CWD_IN_USER_PATH always "no", + ENABLE_SYSRQ "yes" for Home Workstation + RUN_UPDATEDB_AS always "nobody" + OBSCURE_CHECKS_ENAB, PASSWD_USE_CRACKLIB always "yes" +- 2.16.1 + +------------------------------------------------------------------- Mon Apr 14 10:18:13 CEST 2008 - jsuchome@suse.cz - 2.16.0 Modified: trunk/security/src/levels.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/src/levels.ycp?rev=47218... ============================================================================== --- trunk/security/src/levels.ycp (original) +++ trunk/security/src/levels.ycp Wed Apr 30 13:58:33 2008 @@ -56,25 +56,25 @@ "Level1" : $[ "CONSOLE_SHUTDOWN" : "reboot", - "CWD_IN_ROOT_PATH" : "yes", - "CWD_IN_USER_PATH" : "yes", + "CWD_IN_ROOT_PATH" : "no", + "CWD_IN_USER_PATH" : "no", "DISPLAYMANAGER_REMOTE_ACCESS" : "no", - "ENABLE_SYSRQ" : "no", + "ENABLE_SYSRQ" : "yes", "FAIL_DELAY" : "1", "GID_MAX" : "60000", "GID_MIN" : "1000", "GROUP_ENCRYPTION" : "des", "DISPLAYMANAGER_SHUTDOWN" : "all", "LASTLOG_ENAB" : "yes", - "OBSCURE_CHECKS_ENAB" : "no", + "OBSCURE_CHECKS_ENAB" : "yes", "PASSWD_ENCRYPTION" : "blowfish", - "PASSWD_USE_CRACKLIB" : "no", + "PASSWD_USE_CRACKLIB" : "yes", "PASS_MAX_DAYS" : "99999", "PASS_MIN_DAYS" : "0", "PASS_MIN_LEN" : "5", "PASS_WARN_AGE" : "7", "PERMISSION_SECURITY" : "easy", - "RUN_UPDATEDB_AS" : "root", + "RUN_UPDATEDB_AS" : "nobody", "UID_MAX" : "60000", "UID_MIN" : "1000", "SYSTEM_UID_MAX" : "499", @@ -100,7 +100,7 @@ "GROUP_ENCRYPTION" : "des", "DISPLAYMANAGER_SHUTDOWN" : "root", "LASTLOG_ENAB" : "yes", - "OBSCURE_CHECKS_ENAB" : "no", + "OBSCURE_CHECKS_ENAB" : "yes", "PASSWD_ENCRYPTION" : "blowfish", "PASSWD_USE_CRACKLIB" : "yes", "PASS_MAX_DAYS" : "99999", @@ -134,7 +134,7 @@ "GROUP_ENCRYPTION" : "des", "DISPLAYMANAGER_SHUTDOWN" : "root", "LASTLOG_ENAB" : "yes", - "OBSCURE_CHECKS_ENAB" : "no", + "OBSCURE_CHECKS_ENAB" : "yes", "PASSWD_ENCRYPTION" : "blowfish", "PASSWD_USE_CRACKLIB" : "yes", "PASS_MAX_DAYS" : "99999", Modified: trunk/security/testsuite/tests/Level1.out URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/testsuite/tests/Level1.o... ============================================================================== --- trunk/security/testsuite/tests/Level1.out (original) +++ trunk/security/testsuite/tests/Level1.out Wed Apr 30 13:58:33 2008 @@ -35,15 +35,15 @@ Read .sysconfig.displaymanager.DISPLAYMANAGER_SHUTDOWN nil Write .sysconfig.displaymanager.DISPLAYMANAGER_SHUTDOWN "all" true Read .sysconfig.locate.RUN_UPDATEDB_AS nil -Write .sysconfig.locate.RUN_UPDATEDB_AS "root" true +Write .sysconfig.locate.RUN_UPDATEDB_AS "nobody" true Read .sysconfig.security.PERMISSION_SECURITY nil Write .sysconfig.security.PERMISSION_SECURITY "easy local" true Read .sysconfig.suseconfig.CWD_IN_ROOT_PATH nil -Write .sysconfig.suseconfig.CWD_IN_ROOT_PATH "yes" true +Write .sysconfig.suseconfig.CWD_IN_ROOT_PATH "no" true Read .sysconfig.suseconfig.CWD_IN_USER_PATH nil -Write .sysconfig.suseconfig.CWD_IN_USER_PATH "yes" true +Write .sysconfig.suseconfig.CWD_IN_USER_PATH "no" true Read .sysconfig.sysctl.ENABLE_SYSRQ nil -Write .sysconfig.sysctl.ENABLE_SYSRQ "no" true +Write .sysconfig.sysctl.ENABLE_SYSRQ "yes" true Write .etc.login_defs nil true Write .sysconfig.displaymanager nil true Write .sysconfig.locate nil true @@ -55,12 +55,12 @@ Execute .target.bash "/sbin/telinit q" 0 Read .etc.default.passwd."CRYPT_FILES" nil Write .etc.default.passwd."CRYPT_FILES" "blowfish" true -Execute .target.bash_output "pam-config -d --pwcheck-cracklib" $[] -Execute .target.bash_output "pam-config -a --pwcheck-no_obscure_checks" $[] +Execute .target.bash_output "pam-config -a --pwcheck-cracklib" $[] +Execute .target.bash_output "pam-config -d --pwcheck-no_obscure_checks" $[] Execute .target.bash_output "pam-config -d --pwcheck-minlen=" $[] Execute .target.bash_output "pam-config -d --pwcheck-remember=" $[] Write .etc.default.passwd nil true -Execute .target.bash "echo 0 > /proc/sys/kernel/sysrq" 0 +Execute .target.bash "echo 1 > /proc/sys/kernel/sysrq" 0 Read .sysconfig.displaymanager.DISPLAYMANAGER "" Execute .target.bash "/sbin/SuSEconfig --module kde3" 0 Execute .target.bash "/sbin/SuSEconfig --module kdm3" 0 Modified: trunk/security/testsuite/tests/Level2.out URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/testsuite/tests/Level2.o... ============================================================================== --- trunk/security/testsuite/tests/Level2.out (original) +++ trunk/security/testsuite/tests/Level2.out Wed Apr 30 13:58:33 2008 @@ -56,7 +56,7 @@ Read .etc.default.passwd."CRYPT_FILES" nil Write .etc.default.passwd."CRYPT_FILES" "blowfish" true Execute .target.bash_output "pam-config -a --pwcheck-cracklib" $[] -Execute .target.bash_output "pam-config -a --pwcheck-no_obscure_checks" $[] +Execute .target.bash_output "pam-config -d --pwcheck-no_obscure_checks" $[] Execute .target.bash_output "pam-config -d --pwcheck-minlen=" $[] Execute .target.bash_output "pam-config -d --pwcheck-remember=" $[] Write .etc.default.passwd nil true Modified: trunk/security/testsuite/tests/Level3.out URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/testsuite/tests/Level3.o... ============================================================================== --- trunk/security/testsuite/tests/Level3.out (original) +++ trunk/security/testsuite/tests/Level3.out Wed Apr 30 13:58:33 2008 @@ -56,7 +56,7 @@ Read .etc.default.passwd."CRYPT_FILES" nil Write .etc.default.passwd."CRYPT_FILES" "blowfish" true Execute .target.bash_output "pam-config -a --pwcheck-cracklib" $[] -Execute .target.bash_output "pam-config -a --pwcheck-no_obscure_checks" $[] +Execute .target.bash_output "pam-config -d --pwcheck-no_obscure_checks" $[] Execute .target.bash_output "pam-config -a --pwcheck-minlen=6" $[] Execute .target.bash_output "pam-config -d --pwcheck-remember=" $[] Write .etc.default.passwd nil true -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org