Comments inserted, personal IMHO. On Thu, 11 Jun 2015 10:47, Ancor Gonzalez Sosa wrote:
YaST2-Security, the YaST module to configure local security settings, is aging. There is a quite deep analysis about the problems here https://docs.google.com/document/d/1BFVou4YrRoc4vPCkofs-Qo2C9b-lWIbuMBiGk3Oc...
The plan described in the document is a mid-term goal. In the short term (next week), the goal is to do less disruptive changes. To be concrete, just:
- Remove any reference to runlevels
First step: replace runlevels with the corresponding systemd *.target, afterwards think about removal, where it makes sense.
- Update the list of security settings (currently "home workstation", "networked worstation" and "network server") Giving examples like "private network with internet (home)", "public network (guest / public wifi, cell-mobile)", "providing services to others (server)" would be much more clear and helpfull.
- Update the list of mandatory services (it will still be independent of the security setting for the time being) - Update the list of extra allowed services (same as above)
We are already working with the following lists, feedback is highly appreciated.
New list of security settings: - Workstation - Server Missing : roaming mobile (laptop, tablet)
New list of mandatory services: - systemd - systemd-journald - systemd-dmevented Really, for every one? Many of the systems under my care are better of without any dm* stuff, better move that to extra.
- systemd-udevd - systemd-logind - dbus-daemon - rsyslogd Urgs, either generic syslog(rsyslogd,syslogd-ng,journald-only), or all of them selecive (radio-button)
- polkitd - cron Eh?, and what about handling systemd-timer stuff, that more and more replaces cron, as well as which implemention of cron (anacron,crony,dcron,fcron,vixie-cron,etc)?
- SuSEfirewall give hints to other firewalls (firewalld, shorewall, etc) and ipv6 handling (its ugly in SuSEfirewall)
- auditd Well, dunno. Apparmour seems more relevant to security than auditd, IMHO
New list of extra (harmless) services: - wickedd - nscd - postfix - ntpd - sshd - haveged place auditd here, and if not above, apparmour also here, also needed here: modem-manager, network-manager
Anything you miss? Anything you thing should not be there?
Thanks. Thanks for starting this thread, it is needed work.
- Yamaban -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org