[opensuse-factory] Review needed, putting yast2-security in shape
YaST2-Security, the YaST module to configure local security settings, is aging. There is a quite deep analysis about the problems here https://docs.google.com/document/d/1BFVou4YrRoc4vPCkofs-Qo2C9b-lWIbuMBiGk3Oc... The plan described in the document is a mid-term goal. In the short term (next week), the goal is to do less disruptive changes. To be concrete, just: - Remove any reference to runlevels - Update the list of security settings (currently "home workstation", "networked worstation" and "network server") - Update the list of mandatory services (it will still be independent of the security setting for the time being) - Update the list of extra allowed services (same as above) We are already working with the following lists, feedback is highly appreciated. New list of security settings: - Workstation - Server New list of mandatory services: - systemd - systemd-journald - systemd-dmevented - systemd-udevd - systemd-logind - dbus-daemon - rsyslogd - polkitd - cron - SuSEfirewall - auditd New list of extra (harmless) services: - wickedd - nscd - postfix - ntpd - sshd - haveged Anything you miss? Anything you thing should not be there? Thanks. -- Ancor González Sosa YaST Team at SUSE Linux GmbH -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Comments inserted, personal IMHO. On Thu, 11 Jun 2015 10:47, Ancor Gonzalez Sosa wrote:
YaST2-Security, the YaST module to configure local security settings, is aging. There is a quite deep analysis about the problems here https://docs.google.com/document/d/1BFVou4YrRoc4vPCkofs-Qo2C9b-lWIbuMBiGk3Oc...
The plan described in the document is a mid-term goal. In the short term (next week), the goal is to do less disruptive changes. To be concrete, just:
- Remove any reference to runlevels
First step: replace runlevels with the corresponding systemd *.target, afterwards think about removal, where it makes sense.
- Update the list of security settings (currently "home workstation", "networked worstation" and "network server") Giving examples like "private network with internet (home)", "public network (guest / public wifi, cell-mobile)", "providing services to others (server)" would be much more clear and helpfull.
- Update the list of mandatory services (it will still be independent of the security setting for the time being) - Update the list of extra allowed services (same as above)
We are already working with the following lists, feedback is highly appreciated.
New list of security settings: - Workstation - Server Missing : roaming mobile (laptop, tablet)
New list of mandatory services: - systemd - systemd-journald - systemd-dmevented Really, for every one? Many of the systems under my care are better of without any dm* stuff, better move that to extra.
- systemd-udevd - systemd-logind - dbus-daemon - rsyslogd Urgs, either generic syslog(rsyslogd,syslogd-ng,journald-only), or all of them selecive (radio-button)
- polkitd - cron Eh?, and what about handling systemd-timer stuff, that more and more replaces cron, as well as which implemention of cron (anacron,crony,dcron,fcron,vixie-cron,etc)?
- SuSEfirewall give hints to other firewalls (firewalld, shorewall, etc) and ipv6 handling (its ugly in SuSEfirewall)
- auditd Well, dunno. Apparmour seems more relevant to security than auditd, IMHO
New list of extra (harmless) services: - wickedd - nscd - postfix - ntpd - sshd - haveged place auditd here, and if not above, apparmour also here, also needed here: modem-manager, network-manager
Anything you miss? Anything you thing should not be there?
Thanks. Thanks for starting this thread, it is needed work.
- Yamaban -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 06/11/2015 11:26 AM, Yamaban wrote:
Comments inserted, personal IMHO.
On Thu, 11 Jun 2015 10:47, Ancor Gonzalez Sosa wrote:
YaST2-Security, the YaST module to configure local security settings, is aging. There is a quite deep analysis about the problems here https://docs.google.com/document/d/1BFVou4YrRoc4vPCkofs-Qo2C9b-lWIbuMBiGk3Oc...
The plan described in the document is a mid-term goal. In the short term (next week), the goal is to do less disruptive changes. To be concrete, just:
- Remove any reference to runlevels
First step: replace runlevels with the corresponding systemd *.target, afterwards think about removal, where it makes sense.
To be honest, I find much cheaper, coherent and a lot less confusing to only analyze the current target.
- Update the list of security settings (currently "home workstation", "networked worstation" and "network server") Giving examples like "private network with internet (home)", "public network (guest / public wifi, cell-mobile)", "providing services to others (server)" would be much more clear and helpfull.
The full descriptions of the old settings (clearly outdated nowadays) are in the help of the module and in one screenshot in the document referenced at the beginning of my mail.
- Update the list of mandatory services (it will still be independent of the security setting for the time being) - Update the list of extra allowed services (same as above)
We are already working with the following lists, feedback is highly appreciated.
New list of security settings: - Workstation - Server Missing : roaming mobile (laptop, tablet)
Good point.
New list of mandatory services: - systemd - systemd-journald - systemd-dmevented Really, for every one? Many of the systems under my care are better of without any dm* stuff, better move that to extra.
- systemd-udevd - systemd-logind - dbus-daemon - rsyslogd Urgs, either generic syslog(rsyslogd,syslogd-ng,journald-only), or all of them selecive (radio-button)
We actually have the ability to specify a list of equivalent services, but this only makes obvious the inability of Yast2-Journal to manage systemd aliases. I will try to implement proper management of aliases, so specifying "syslog" is enough for the module to figure out that rsyslogd is also ok.
- polkitd - cron Eh?, and what about handling systemd-timer stuff, that more and more replaces cron, as well as which implemention of cron (anacron,crony,dcron,fcron,vixie-cron,etc)?
To some extend, more work for the to-be-implemented aliases handling. :-)
- SuSEfirewall give hints to other firewalls (firewalld, shorewall, etc) and ipv6 handling (its ugly in SuSEfirewall)
- auditd Well, dunno. Apparmour seems more relevant to security than auditd, IMHO
New list of extra (harmless) services: - wickedd - nscd - postfix - ntpd - sshd - haveged place auditd here, and if not above, apparmour also here, also needed here: modem-manager, network-manager
Anything you miss? Anything you thing should not be there?
Thanks. Thanks for starting this thread, it is needed work.
Thanks for the feedback. -- Ancor González Sosa YaST Team at SUSE Linux GmbH -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Jun 11, 2015 at 5:47 AM, Ancor Gonzalez Sosa
YaST2-Security, the YaST module to configure local security settings, is aging. There is a quite deep analysis about the problems here https://docs.google.com/document/d/1BFVou4YrRoc4vPCkofs-Qo2C9b-lWIbuMBiGk3Oc...
The plan described in the document is a mid-term goal. In the short term (next week), the goal is to do less disruptive changes. To be concrete, just:
- Remove any reference to runlevels - Update the list of security settings (currently "home workstation", "networked worstation" and "network server") - Update the list of mandatory services (it will still be independent of the security setting for the time being) - Update the list of extra allowed services (same as above)
- systemd-dmevented
Where that comes from.. ? there is no such systemd component.
- systemd-udevd - systemd-logind - dbus-daemon
- rsyslogd
Rsyslog is not mandatory, the system can run journal only.
- polkitd
Policy kit is started as necessary by the services that require it.
- cron - SuSEfirewall - auditd
New list of extra (harmless) services: - wickedd - nscd - postfix
- ntpd
systemd-timesyncd...
- sshd - haveged
I think your are heading to the wrong direction.. Mostly because you are thinking about updating the module in question to a world that no longer exists...services are not static..they may be activated on demand, by hardware that's plugged in or even by changes in the filesystem, they might be mandatory or optional ..using this list-based approach will cause an endless maintenance pain.. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, On 06/11/2015 10:47 AM, Ancor Gonzalez Sosa wrote:
New list of mandatory services: [...] - rsyslogd [...] Is there something, what syslog-ng can't provide and rsyslog is necessary? Bye, CzP syslog-ng upstream + openSUSE/SLES package maintainer... -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Ancor Gonzalez Sosa wrote:
YaST2-Security, the YaST module to configure local security settings, is aging. There is a quite deep analysis about the problems here https://docs.google.com/document/d/1BFVou4YrRoc4vPCkofs-Qo2C9b-lWIbuMBiGk3Oc...
The plan described in the document is a mid-term goal. In the short term (next week), the goal is to do less disruptive changes. To be concrete, just:
- Remove any reference to runlevels - Update the list of security settings (currently "home workstation", "networked worstation" and "network server") - Update the list of mandatory services (it will still be independent of the security setting for the time being) - Update the list of extra allowed services (same as above)
We are already working with the following lists, feedback is highly appreciated.
New list of security settings: - Workstation - Server
New list of mandatory services: - systemd - systemd-journald - systemd-dmevented - systemd-udevd - systemd-logind - dbus-daemon - rsyslogd - polkitd - cron - SuSEfirewall - auditd
New list of extra (harmless) services: - wickedd - nscd - postfix - ntpd - sshd - haveged
Anything you miss? Anything you thing should not be there?
Hmm, maybe the scope and expectations for this module needs to be defined. I wonder why it should care about things like cron, ntp or postfix for example. For some of those service there are also existing yast modules, so maybe it would make sense for those modules to provide a plug-in for yast2-security. So you don't have to e.g. query the state of the firewall yourself but have the other module calculate it for you. That way maybe other settings could also be provided by the module that is intended for it. Like yast2-users for authentication settings. Apparmor state might be worth mentioning in yast2-security. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Ancor Gonzalez Sosa -
Cristian Rodríguez -
Ludwig Nussel -
Peter Czanik -
Yamaban