[opensuse-security] Review needed, putting yast2-security in shape
YaST2-Security, the YaST module to configure local security settings, is aging. There is a quite deep analysis about the problems here https://docs.google.com/document/d/1BFVou4YrRoc4vPCkofs-Qo2C9b-lWIbuMBiGk3Oc... The plan described in the document is a mid-term goal. In the short term (next week), the goal is to do less disruptive changes. To be concrete, just: - Remove any reference to runlevels - Update the list of security settings (currently "home workstation", "networked worstation" and "network server") - Update the list of mandatory services (it will still be independent of the security setting for the time being) - Update the list of extra allowed services (same as above) We are already working with the following lists, feedback is highly appreciated. New list of security settings: - Workstation - Server New list of mandatory services: - systemd - systemd-journald - systemd-dmevented - systemd-udevd - systemd-logind - dbus-daemon - rsyslogd - polkitd - cron - SuSEfirewall - auditd New list of extra (harmless) services: - wickedd - nscd - postfix - ntpd - sshd - haveged Anything you miss? Anything you thing should not be there? Thanks. -- Ancor González Sosa YaST Team at SUSE Linux GmbH -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hi, On 06/11/2015 10:47 AM, Ancor Gonzalez Sosa wrote:
New list of mandatory services: [...] - rsyslogd [...] Is there something, what syslog-ng can't provide and rsyslog is necessary? Bye, CzP syslog-ng upstream + openSUSE/SLES package maintainer... -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Ancor Gonzalez Sosa wrote:
YaST2-Security, the YaST module to configure local security settings, is aging. There is a quite deep analysis about the problems here https://docs.google.com/document/d/1BFVou4YrRoc4vPCkofs-Qo2C9b-lWIbuMBiGk3Oc...
The plan described in the document is a mid-term goal. In the short term (next week), the goal is to do less disruptive changes. To be concrete, just:
- Remove any reference to runlevels - Update the list of security settings (currently "home workstation", "networked worstation" and "network server") - Update the list of mandatory services (it will still be independent of the security setting for the time being) - Update the list of extra allowed services (same as above)
We are already working with the following lists, feedback is highly appreciated.
New list of security settings: - Workstation - Server
New list of mandatory services: - systemd - systemd-journald - systemd-dmevented - systemd-udevd - systemd-logind - dbus-daemon - rsyslogd - polkitd - cron - SuSEfirewall - auditd
New list of extra (harmless) services: - wickedd - nscd - postfix - ntpd - sshd - haveged
Anything you miss? Anything you thing should not be there?
Hmm, maybe the scope and expectations for this module needs to be defined. I wonder why it should care about things like cron, ntp or postfix for example. For some of those service there are also existing yast modules, so maybe it would make sense for those modules to provide a plug-in for yast2-security. So you don't have to e.g. query the state of the firewall yourself but have the other module calculate it for you. That way maybe other settings could also be provided by the module that is intended for it. Like yast2-users for authentication settings. Apparmor state might be worth mentioning in yast2-security. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (3)
-
Ancor Gonzalez Sosa -
Ludwig Nussel -
Peter Czanik