Skip to content

Commit

Permalink
Move security levels settings to yaml files
Browse files Browse the repository at this point in the history
  • Loading branch information
@ancorgs
ancorgs committed Aug 19, 2015
1 parent ffda7d4 commit 00b211c
Show file tree
Hide file tree
Showing 5 changed files with 155 additions and 121 deletions.
39 changes: 39 additions & 0 deletions src/data/security/level1.yml
View file
@@ -0,0 +1,39 @@
# Security level 1: Home Workstation
---
CONSOLE_SHUTDOWN: reboot
CRACKLIB_DICT_PATH: "/usr/lib/cracklib_dict"
DISPLAYMANAGER_REMOTE_ACCESS: 'no'
kernel.sysrq: '1'
FAIL_DELAY: '1'
GID_MAX: '60000'
GID_MIN: '1000'
AllowShutdown: All
HIBERNATE_SYSTEM: active_console
PASSWD_ENCRYPTION: sha512
PASSWD_USE_CRACKLIB: 'yes'
PASS_MAX_DAYS: '99999'
PASS_MIN_DAYS: '0'
PASS_MIN_LEN: '5'
PASS_WARN_AGE: '7'
PERMISSION_SECURITY: easy
RUN_UPDATEDB_AS: nobody
UID_MAX: '60000'
UID_MIN: '1000'
SYS_UID_MAX: '499'
SYS_UID_MIN: '100'
SYS_GID_MAX: '499'
SYS_GID_MIN: '100'
USERADD_CMD: "/usr/sbin/useradd.local"
USERDEL_PRECMD: "/usr/sbin/userdel-pre.local"
USERDEL_POSTCMD: "/usr/sbin/userdel-post.local"
PASSWD_REMEMBER_HISTORY: '0'
SYSTOHC: 'yes'
SYSLOG_ON_NO_ERROR: 'yes'
DISPLAYMANAGER_ROOT_LOGIN_REMOTE: 'no'
DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN: 'no'
SMTPD_LISTEN_REMOTE: 'no'
DISABLE_STOP_ON_REMOVAL: 'no'
DISABLE_RESTART_ON_UPDATE: 'no'
net.ipv4.tcp_syncookies: '1'
net.ipv4.ip_forward: '0'
net.ipv6.conf.all.forwarding: '0'
39 changes: 39 additions & 0 deletions src/data/security/level2.yml
View file
@@ -0,0 +1,39 @@
# Level 2: Networked Workstation
---
CONSOLE_SHUTDOWN: ignore
CRACKLIB_DICT_PATH: "/usr/lib/cracklib_dict"
DISPLAYMANAGER_REMOTE_ACCESS: 'no'
kernel.sysrq: '0'
FAIL_DELAY: '6'
GID_MAX: '60000'
GID_MIN: '1000'
AllowShutdown: Root
HIBERNATE_SYSTEM: active_console
PASSWD_ENCRYPTION: sha512
PASSWD_USE_CRACKLIB: 'yes'
PASS_MAX_DAYS: '99999'
PASS_MIN_DAYS: '1'
PASS_MIN_LEN: '5'
PASS_WARN_AGE: '14'
PERMISSION_SECURITY: easy
RUN_UPDATEDB_AS: nobody
UID_MAX: '60000'
UID_MIN: '1000'
SYS_UID_MAX: '499'
SYS_UID_MIN: '100'
SYS_GID_MAX: '499'
SYS_GID_MIN: '100'
USERADD_CMD: "/usr/sbin/useradd.local"
USERDEL_PRECMD: "/usr/sbin/userdel-pre.local"
USERDEL_POSTCMD: "/usr/sbin/userdel-post.local"
PASSWD_REMEMBER_HISTORY: '0'
SYSTOHC: 'yes'
SYSLOG_ON_NO_ERROR: 'yes'
DISPLAYMANAGER_ROOT_LOGIN_REMOTE: 'no'
DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN: 'no'
SMTPD_LISTEN_REMOTE: 'no'
DISABLE_STOP_ON_REMOVAL: 'no'
DISABLE_RESTART_ON_UPDATE: 'no'
net.ipv4.tcp_syncookies: '1'
net.ipv4.ip_forward: '0'
net.ipv6.conf.all.forwarding: '0'
39 changes: 39 additions & 0 deletions src/data/security/level3.yml
View file
@@ -0,0 +1,39 @@
# Level 3: Network server
---
CONSOLE_SHUTDOWN: ignore
CRACKLIB_DICT_PATH: "/usr/lib/cracklib_dict"
DISPLAYMANAGER_REMOTE_ACCESS: 'no'
kernel.sysrq: '0'
FAIL_DELAY: '3'
GID_MAX: '60000'
GID_MIN: '1000'
AllowShutdown: Root
HIBERNATE_SYSTEM: active_console
PASSWD_ENCRYPTION: sha512
PASSWD_USE_CRACKLIB: 'yes'
PASS_MAX_DAYS: '99999'
PASS_MIN_DAYS: '1'
PASS_MIN_LEN: '6'
PASS_WARN_AGE: '14'
PERMISSION_SECURITY: secure
RUN_UPDATEDB_AS: nobody
UID_MAX: '60000'
UID_MIN: '1000'
SYS_UID_MAX: '499'
SYS_UID_MIN: '100'
SYS_GID_MAX: '499'
SYS_GID_MIN: '100'
USERADD_CMD: "/usr/sbin/useradd.local"
USERDEL_PRECMD: "/usr/sbin/userdel-pre.local"
USERDEL_POSTCMD: "/usr/sbin/userdel-post.local"
PASSWD_REMEMBER_HISTORY: '0'
SYSTOHC: 'yes'
SYSLOG_ON_NO_ERROR: 'yes'
DISPLAYMANAGER_ROOT_LOGIN_REMOTE: 'no'
DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN: 'no'
SMTPD_LISTEN_REMOTE: 'no'
DISABLE_STOP_ON_REMOVAL: 'no'
DISABLE_RESTART_ON_UPDATE: 'no'
net.ipv4.tcp_syncookies: '1'
net.ipv4.ip_forward: '0'
net.ipv6.conf.all.forwarding: '0'
133 changes: 12 additions & 121 deletions src/include/security/levels.rb
View file
Expand Up @@ -39,11 +39,14 @@
# ]
# </pre>

require "yaml"

# @return [Array] all security settings
module Yast
module SecurityLevelsInclude
def initialize_security_levels(include_target)
textdomain "security"
Yast.import "Directory"

# Level names definitions
@LevelsNames = {
Expand All @@ -65,127 +68,15 @@ def initialize_security_levels(include_target)
}

# Levels definitions
@Levels =
# end of Levels
{
"Level1" => {
"CONSOLE_SHUTDOWN" => "reboot",
"CRACKLIB_DICT_PATH" => "/usr/lib/cracklib_dict",
"DISPLAYMANAGER_REMOTE_ACCESS" => "no",
"kernel.sysrq" => "1",
"FAIL_DELAY" => "1",
"GID_MAX" => "60000",
"GID_MIN" => "1000",
"AllowShutdown" => "All",
"HIBERNATE_SYSTEM" => "active_console",
"PASSWD_ENCRYPTION" => "sha512",
"PASSWD_USE_CRACKLIB" => "yes",
"PASS_MAX_DAYS" => "99999",
"PASS_MIN_DAYS" => "0",
"PASS_MIN_LEN" => "5",
"PASS_WARN_AGE" => "7",
"PERMISSION_SECURITY" => "easy",
"RUN_UPDATEDB_AS" => "nobody",
"UID_MAX" => "60000",
"UID_MIN" => "1000",
"SYS_UID_MAX" => "499",
"SYS_UID_MIN" => "100",
"SYS_GID_MAX" => "499",
"SYS_GID_MIN" => "100",
"USERADD_CMD" => "/usr/sbin/useradd.local",
"USERDEL_PRECMD" => "/usr/sbin/userdel-pre.local",
"USERDEL_POSTCMD" => "/usr/sbin/userdel-post.local",
"PASSWD_REMEMBER_HISTORY" => "0",
"SYSTOHC" => "yes",
"SYSLOG_ON_NO_ERROR" => "yes",
"DISPLAYMANAGER_ROOT_LOGIN_REMOTE" => "no",
"DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN" => "no",
"SMTPD_LISTEN_REMOTE" => "no",
"DISABLE_STOP_ON_REMOVAL" => "no",
"DISABLE_RESTART_ON_UPDATE" => "no",
"net.ipv4.tcp_syncookies" => "1",
"net.ipv4.ip_forward" => "0",
"net.ipv6.conf.all.forwarding" => "0"
},
"Level2" => {
"CONSOLE_SHUTDOWN" => "ignore",
"CRACKLIB_DICT_PATH" => "/usr/lib/cracklib_dict",
"DISPLAYMANAGER_REMOTE_ACCESS" => "no",
"kernel.sysrq" => "0",
"FAIL_DELAY" => "6",
"GID_MAX" => "60000",
"GID_MIN" => "1000",
"AllowShutdown" => "Root",
"HIBERNATE_SYSTEM" => "active_console",
"PASSWD_ENCRYPTION" => "sha512",
"PASSWD_USE_CRACKLIB" => "yes",
"PASS_MAX_DAYS" => "99999",
"PASS_MIN_DAYS" => "1",
"PASS_MIN_LEN" => "5",
"PASS_WARN_AGE" => "14",
"PERMISSION_SECURITY" => "easy",
"RUN_UPDATEDB_AS" => "nobody",
"UID_MAX" => "60000",
"UID_MIN" => "1000",
"SYS_UID_MAX" => "499",
"SYS_UID_MIN" => "100",
"SYS_GID_MAX" => "499",
"SYS_GID_MIN" => "100",
"USERADD_CMD" => "/usr/sbin/useradd.local",
"USERDEL_PRECMD" => "/usr/sbin/userdel-pre.local",
"USERDEL_POSTCMD" => "/usr/sbin/userdel-post.local",
"PASSWD_REMEMBER_HISTORY" => "0",
"SYSTOHC" => "yes",
"SYSLOG_ON_NO_ERROR" => "yes",
"DISPLAYMANAGER_ROOT_LOGIN_REMOTE" => "no",
"DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN" => "no",
"SMTPD_LISTEN_REMOTE" => "no",
"DISABLE_STOP_ON_REMOVAL" => "no",
"DISABLE_RESTART_ON_UPDATE" => "no",
"net.ipv4.tcp_syncookies" => "1",
"net.ipv4.ip_forward" => "0",
"net.ipv6.conf.all.forwarding" => "0"
},
"Level3" => {
"CONSOLE_SHUTDOWN" => "ignore",
"CRACKLIB_DICT_PATH" => "/usr/lib/cracklib_dict",
"DISPLAYMANAGER_REMOTE_ACCESS" => "no",
"kernel.sysrq" => "0",
"FAIL_DELAY" => "3",
"GID_MAX" => "60000",
"GID_MIN" => "1000",
"AllowShutdown" => "Root",
"HIBERNATE_SYSTEM" => "active_console",
"PASSWD_ENCRYPTION" => "sha512",
"PASSWD_USE_CRACKLIB" => "yes",
"PASS_MAX_DAYS" => "99999",
"PASS_MIN_DAYS" => "1",
"PASS_MIN_LEN" => "6",
"PASS_WARN_AGE" => "14",
"PERMISSION_SECURITY" => "secure",
"RUN_UPDATEDB_AS" => "nobody",
"UID_MAX" => "60000",
"UID_MIN" => "1000",
"SYS_UID_MAX" => "499",
"SYS_UID_MIN" => "100",
"SYS_GID_MAX" => "499",
"SYS_GID_MIN" => "100",
"USERADD_CMD" => "/usr/sbin/useradd.local",
"USERDEL_PRECMD" => "/usr/sbin/userdel-pre.local",
"USERDEL_POSTCMD" => "/usr/sbin/userdel-post.local",
"PASSWD_REMEMBER_HISTORY" => "0",
"SYSTOHC" => "yes",
"SYSLOG_ON_NO_ERROR" => "yes",
"DISPLAYMANAGER_ROOT_LOGIN_REMOTE" => "no",
"DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN" => "no",
"SMTPD_LISTEN_REMOTE" => "no",
"DISABLE_STOP_ON_REMOVAL" => "no",
"DISABLE_RESTART_ON_UPDATE" => "no",
"net.ipv4.tcp_syncookies" => "1",
"net.ipv4.ip_forward" => "0",
"net.ipv6.conf.all.forwarding" => "0"
}
}
@Levels = {}
@LevelsNames.keys.each do |level|
lfile = Directory.find_data_file("security/#{level.downcase}.yml")
if lfile
@Levels[level] = YAML.load_file(lfile) rescue {}
else
@Levels[level] = {}
end
end

# EOF
end
Expand Down
26 changes: 26 additions & 0 deletions test/levels_test.rb
View file
@@ -0,0 +1,26 @@
#!/usr/bin/env rspec

require_relative 'test_helper'

module Yast
class LevelsTester
include Yast::I18n

attr_reader :Levels

def initialize
Yast.include self, "security/levels.rb"
end
end

describe "Levels" do
let(:tester) { LevelsTester.new }
subject(:settings) { tester.Levels }

it "reads the settings from the yaml files" do
expect(settings["Level1"]["FAIL_DELAY"]).to eq "1"
expect(settings["Level2"]["FAIL_DELAY"]).to eq "6"
expect(settings["Level3"]["FAIL_DELAY"]).to eq "3"
end
end
end

0 comments on commit 00b211c

Please sign in to comment.