/
security_settings.rb
218 lines (185 loc) · 6.51 KB
/
security_settings.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
# ------------------------------------------------------------------------------
# Copyright (c) 2017 SUSE LLC
#
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of version 2 of the GNU General Public License as published by the
# Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this program; if not, contact SUSE.
#
# To contact SUSE about this file by physical or electronic mail, you may find
# current contact information at www.suse.com.
# ------------------------------------------------------------------------------
require "yast"
require "y2security/selinux"
Yast.import "UsersSimple"
module Installation
# Class that stores the security proposal settings during installation.
class SecuritySettings
include Yast::Logger
include Yast::I18n
# [Boolean] Whether the firewalld service will be enable
attr_accessor :enable_firewall
# [Boolean] Whether the sshd service will be enable
attr_accessor :enable_sshd
# [Boolean] Whether the ssh port will be opened
attr_accessor :open_ssh
# [Boolean] Whether the vnc port will be opened
attr_accessor :open_vnc
# [String] Name of the default zone where perform the changes
attr_accessor :default_zone
# [String, nil] Setting for policy kit default privileges
# For more info see /etc/sysconfig/security#POLKIT_DEFAULT_PRIVS
attr_accessor :polkit_default_privileges
# [Y2Security::Selinux] selinux configuration
attr_accessor :selinux_config
# Constructor
def initialize
textdomain "installation"
Yast.import "PackagesProposal"
Yast.import "ProductFeatures"
Yast.import "Linuxrc"
load_features
enable_firewall! if @enable_firewall
enable_sshd! if wanted_enable_sshd?
open_ssh! if wanted_open_ssh?
open_vnc! if wanted_open_vnc?
# FIXME: obtain from Y2Firewall::Firewalld, control file or allow to
# chose a different one in the proposal
@default_zone = "public"
end
# Load the default values defined in the control file
def load_features
load_feature(:enable_firewall, :enable_firewall)
load_feature(:firewall_enable_ssh, :open_ssh)
load_feature(:enable_sshd, :enable_sshd)
load_feature(:polkit_default_privs, :polkit_default_privileges)
end
# Services
# Add the firewall package to be installed and sets the firewalld service
# to be enabled
def enable_firewall!
Yast::PackagesProposal.AddResolvables("firewall", :package, ["firewalld"])
log.info "Enabling Firewall"
self.enable_firewall = true
end
# Remove the firewalld package from being installed and sets the firewalld
# service to be disabled
def disable_firewall!
Yast::PackagesProposal.RemoveResolvables("firewall", :package, ["firewalld"])
log.info "Disabling Firewall"
self.enable_firewall = false
end
# Add the openssh package to be installed and sets the sshd service
# to be enabled
def enable_sshd!
Yast::PackagesProposal.AddResolvables("firewall", :package, ["openssh"])
log.info "Enabling SSHD"
self.enable_sshd = true
end
# Remove the openssh package from being installed and sets the sshd service
# to be disabled
def disable_sshd!
Yast::PackagesProposal.RemoveResolvables("firewall", :package, ["openssh"])
log.info "Disabling SSHD"
self.enable_sshd = false
end
# Set the ssh port to be opened
def open_ssh!
log.info "Opening SSH port"
self.open_ssh = true
end
# Set the ssh port to be closed
def close_ssh!
log.info "Opening SSH port"
self.open_ssh = false
end
# Set the vnc port to be opened
def open_vnc!
log.info "Close VNC port"
self.open_vnc = true
end
# Set the vnc port to be closed
def close_vnc!
log.info "Close VNC port"
self.open_vnc = false
end
# Return whether the current settings could be a problem for the user to
# login
#
# @return [Boolean] true if the root user uses only public key
# authentication and the system is not accesible through ssh
def access_problem?
# public key is not the only way
return false unless only_public_key_auth
# without running sshd it is useless
return true unless @enable_sshd
# firewall is up and port for ssh is not open
@enable_firewall && !@open_ssh
end
def human_polkit_privileges
{
"" => _("Default"),
# TRANSLATORS: restrictive in sense the most restrictive policy
"restrictive" => _("Restrictive"),
"standard" => _("Standard"),
# TRANSLATORS: easy in sense the least restrictive policy
"easy" => _("Easy")
}
end
# Returns a SELinux configuration handler
#
# @return [Y2Security::Selinux] the SELinux config handler
def selinux_config
@selinux_config ||= Y2Security::Selinux.new
end
private
def load_feature(feature, to, source: global_section)
value = Yast::Ops.get(source, feature.to_s)
public_send("#{to}=", value) unless value.nil?
end
def global_section
Yast::ProductFeatures.GetSection("globals")
end
def wanted_enable_sshd?
Yast::Linuxrc.usessh || only_public_key_auth || @enable_sshd
end
def wanted_open_ssh?
Yast::Linuxrc.usessh || only_public_key_auth || @open_ssh
end
def wanted_open_vnc?
Yast::Linuxrc.vnc
end
# Determines whether only public key authentication is supported
#
# @note If the root user does not have a password, we assume that we will use a public
# key in order to log into the system. In such a case, we need to enable the SSH
# service (including opening the port).
def only_public_key_auth
Yast::UsersSimple.GetRootPassword.empty?
end
class << self
def run
instance.run
end
# Singleton instance
def instance
create_instance unless @instance
@instance
end
# Enforce a new clean instance
def create_instance
@instance = new
end
# Make sure only .instance and .create_instance can be used to
# create objects
private :new, :allocate
end
end
end