[opensuse-security] Re: [opensuse-factory] Re: Review needed, putting yast2-security in shape
On 06/11/2015 11:26 AM, Yamaban wrote:
Comments inserted, personal IMHO.
On Thu, 11 Jun 2015 10:47, Ancor Gonzalez Sosa wrote:
YaST2-Security, the YaST module to configure local security settings, is aging. There is a quite deep analysis about the problems here https://docs.google.com/document/d/1BFVou4YrRoc4vPCkofs-Qo2C9b-lWIbuMBiGk3Oc...
The plan described in the document is a mid-term goal. In the short term (next week), the goal is to do less disruptive changes. To be concrete, just:
- Remove any reference to runlevels
First step: replace runlevels with the corresponding systemd *.target, afterwards think about removal, where it makes sense.
To be honest, I find much cheaper, coherent and a lot less confusing to only analyze the current target.
- Update the list of security settings (currently "home workstation", "networked worstation" and "network server") Giving examples like "private network with internet (home)", "public network (guest / public wifi, cell-mobile)", "providing services to others (server)" would be much more clear and helpfull.
The full descriptions of the old settings (clearly outdated nowadays) are in the help of the module and in one screenshot in the document referenced at the beginning of my mail.
- Update the list of mandatory services (it will still be independent of the security setting for the time being) - Update the list of extra allowed services (same as above)
We are already working with the following lists, feedback is highly appreciated.
New list of security settings: - Workstation - Server Missing : roaming mobile (laptop, tablet)
Good point.
New list of mandatory services: - systemd - systemd-journald - systemd-dmevented Really, for every one? Many of the systems under my care are better of without any dm* stuff, better move that to extra.
- systemd-udevd - systemd-logind - dbus-daemon - rsyslogd Urgs, either generic syslog(rsyslogd,syslogd-ng,journald-only), or all of them selecive (radio-button)
We actually have the ability to specify a list of equivalent services, but this only makes obvious the inability of Yast2-Journal to manage systemd aliases. I will try to implement proper management of aliases, so specifying "syslog" is enough for the module to figure out that rsyslogd is also ok.
- polkitd - cron Eh?, and what about handling systemd-timer stuff, that more and more replaces cron, as well as which implemention of cron (anacron,crony,dcron,fcron,vixie-cron,etc)?
To some extend, more work for the to-be-implemented aliases handling. :-)
- SuSEfirewall give hints to other firewalls (firewalld, shorewall, etc) and ipv6 handling (its ugly in SuSEfirewall)
- auditd Well, dunno. Apparmour seems more relevant to security than auditd, IMHO
New list of extra (harmless) services: - wickedd - nscd - postfix - ntpd - sshd - haveged place auditd here, and if not above, apparmour also here, also needed here: modem-manager, network-manager
Anything you miss? Anything you thing should not be there?
Thanks. Thanks for starting this thread, it is needed work.
Thanks for the feedback. -- Ancor González Sosa YaST Team at SUSE Linux GmbH -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (1)
-
Ancor Gonzalez Sosa