Skip to content

Commit

Permalink
Remove references to runlevels. Use current systemd target.
Browse files Browse the repository at this point in the history
  • Loading branch information
@ancorgs
ancorgs committed Aug 19, 2015
1 parent b9c832c commit f1dd851
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 133 deletions.
113 changes: 23 additions & 90 deletions src/include/security/dialogs.rb
View file
Expand Up @@ -53,10 +53,8 @@ def initialize_security_dialogs(include_target)

@configurable_options = [
"PERMISSION_SECURITY",
"RUNLEVEL3_MANDATORY_SERVICES",
"RUNLEVEL5_MANDATORY_SERVICES",
"RUNLEVEL3_EXTRA_SERVICES",
"RUNLEVEL5_EXTRA_SERVICES",
"MANDATORY_SERVICES",
"EXTRA_SERVICES",
"kernel.sysrq"
]

Expand Down Expand Up @@ -102,17 +100,11 @@ def initialize_security_dialogs(include_target)
),
"net.ipv4.ip_forward" => _("IPv4 forwarding"),
"net.ipv6.conf.all.forwarding" => _("IPv6 forwarding"),
"RUNLEVEL3_MANDATORY_SERVICES" => _(
"Enable basic system services in runlevel 3\n (multiuser with network)"
"MANDATORY_SERVICES" => _(
"Enable basic system services"
),
"RUNLEVEL5_MANDATORY_SERVICES" => _(
"Enable basic system services in runlevel 5\n (multiuser with network and graphical login)"
),
"RUNLEVEL3_EXTRA_SERVICES" => _(
"Enable extra services in runlevel 3"
),
"RUNLEVEL5_EXTRA_SERVICES" => _(
"Enable extra services in runlevel 5"
"EXTRA_SERVICES" => _(
"Enable extra services"
)
}

Expand All @@ -135,17 +127,13 @@ def initialize_security_dialogs(include_target)
# mapping for "Configure" links
# config name -> yast client
@link_client_mapping = {
"RUNLEVEL3_MANDATORY_SERVICES" => "runlevel",
"RUNLEVEL5_MANDATORY_SERVICES" => "runlevel",
"RUNLEVEL3_EXTRA_SERVICES" => "runlevel",
"RUNLEVEL5_EXTRA_SERVICES" => "runlevel"
"MANDATORY_SERVICES" => "services-manager",
"EXTRA_SERVICES" => "services-manager"
}

@link_update_mapping = {
"RUNLEVEL3_MANDATORY_SERVICES" => lambda { Security.ReadServiceSettings },
"RUNLEVEL5_MANDATORY_SERVICES" => lambda { Security.ReadServiceSettings },
"RUNLEVEL3_EXTRA_SERVICES" => lambda { Security.ReadServiceSettings },
"RUNLEVEL5_EXTRA_SERVICES" => lambda { Security.ReadServiceSettings }
"MANDATORY_SERVICES" => lambda { Security.ReadServiceSettings },
"EXTRA_SERVICES" => lambda { Security.ReadServiceSettings }
}
end

Expand Down Expand Up @@ -285,36 +273,12 @@ def OverviewText(type)
) == "0"
},
{
"id" => "RUNLEVEL3_MANDATORY_SERVICES",
"is_secure" => Ops.get(
Security.Settings,
"RUNLEVEL3_MANDATORY_SERVICES",
""
) == "secure"
},
{
"id" => "RUNLEVEL5_MANDATORY_SERVICES",
"is_secure" => Ops.get(
Security.Settings,
"RUNLEVEL5_MANDATORY_SERVICES",
""
) == "secure"
},
{
"id" => "RUNLEVEL3_EXTRA_SERVICES",
"is_secure" => Ops.get(
Security.Settings,
"RUNLEVEL3_EXTRA_SERVICES",
""
) == "secure"
"id" => "MANDATORY_SERVICES",
"is_secure" => Security.Settings["MANDATORY_SERVICES"] == "secure"
},
{
"id" => "RUNLEVEL5_EXTRA_SERVICES",
"is_secure" => Ops.get(
Security.Settings,
"RUNLEVEL5_EXTRA_SERVICES",
""
) == "secure"
"id" => "EXTRA_SERVICES",
"is_secure" => Security.Settings["EXTRA_SERVICES"] == "secure"
}
]

Expand Down Expand Up @@ -384,11 +348,7 @@ def DisplayHelpPopup(help_id)
end

# add extra help to service related options
if help_id == "RUNLEVEL3_MANDATORY_SERVICES" ||
help_id == "RUNLEVEL5_MANDATORY_SERVICES"
# TODO: runlevel is not longer needed, but we are in 'text freeze phase'
runlevel = help_id == "RUNLEVEL3_MANDATORY_SERVICES" ? 3 : 5

if help_id == "MANDATORY_SERVICES"
missing = Security.MissingMandatoryServices

if missing != nil && missing != []
Expand All @@ -403,48 +363,21 @@ def DisplayHelpPopup(help_id)


# richtext message: %1 = runlevel ("3" or "5"), %2 = list of services
help = Ops.add(
help,
Builtins.sformat(
_(
"<P>These basic system services are not enabled in runlevel %1:<BR><B>%2</B></P>"
),
runlevel,
srvs
)
)
help +=
_("<P>These basic system services are not enabled:<BR><B>%s</B></P>") % srvs
else
help = Ops.add(help, _("<P>All basic services are enabled.</P>"))
help += _("<P>All basic services are enabled.</P>")
end
elsif help_id == "RUNLEVEL3_EXTRA_SERVICES" ||
help_id == "RUNLEVEL5_EXTRA_SERVICES"
# TODO: runlevel is not longer needed (read above)
runlevel = help_id == "RUNLEVEL3_EXTRA_SERVICES" ? 3 : 5
elsif help_id == "EXTRA_SERVICES"
extra = Security.ExtraServices

if extra != nil && extra != []
srvs = Builtins.mergestring(extra, "<BR>")
help = Ops.add(
help,
Builtins.sformat(
_(
"<P>These extra services are enabled in runlevel %1:<BR><B>%2</B></P>"
),
runlevel,
srvs
)
)
help = Ops.add(
help,
_(
"<P>Check the list of services and disable all unused services.</P>"
)
)
help +=
_("<P>These extra services are enabled:<BR><B>%s</B></P>") % srvs
help += _("<P>Check the list of services and disable all unused services.</P>")
else
help = Ops.add(
help,
_("<P>Only basic system services are enabled.</P>")
)
help += _("<P>Only basic system services are enabled.</P>")
end
end

Expand Down
10 changes: 2 additions & 8 deletions src/include/security/helps.rb
View file
Expand Up @@ -346,16 +346,10 @@ def initialize_security_helps(include_target)
"PERMISSION_SECURITY" => _(
"<P>There are predefined file permissions in /etc/permissions.* files. The most restrictive file permissions are defined 'secure' or 'paranoid' file.</P>"
),
"RUNLEVEL3_MANDATORY_SERVICES" => _(
"MANDATORY_SERVICES" => _(
"<P>Basic system services must be enabled to provide system consistency and to run the security-related services.</P>"
),
"RUNLEVEL5_MANDATORY_SERVICES" => _(
"<P>Basic system services must be enabled to provide system consistency and to run the security-related services.</P>"
),
"RUNLEVEL3_EXTRA_SERVICES" => _(
"<P>Every running service is a potential target of a security attack. Therefore it is recommended to turn off all services which are not used by the system.</P>"
),
"RUNLEVEL5_EXTRA_SERVICES" => _(
"EXTRA_SERVICES" => _(
"<P>Every running service is a potential target of a security attack. Therefore it is recommended to turn off all services which are not used by the system.</P>"
)
}
Expand Down
26 changes: 9 additions & 17 deletions src/modules/Security.rb
View file
Expand Up @@ -145,22 +145,18 @@ def main
"DISPLAYMANAGER_ROOT_LOGIN_REMOTE" => "no",
"DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN" => "no",
"SMTPD_LISTEN_REMOTE" => "no",
"RUNLEVEL3_MANDATORY_SERVICES" => "yes",
"RUNLEVEL5_MANDATORY_SERVICES" => "yes",
"RUNLEVEL3_EXTRA_SERVICES" => "no",
"RUNLEVEL5_EXTRA_SERVICES" => "no"
"MANDATORY_SERVICES" => "yes",
"EXTRA_SERVICES" => "no"
}

# the original settings
@Settings_bak = deep_copy(@Settings)

# keys that should not be tested against predefined levels:
# - RUNLEVEL*_SERVICES have different syntax, are not saved in current form
# - *_SERVICES have different syntax, are not saved in current form
@do_not_test = [
"RUNLEVEL3_MANDATORY_SERVICES",
"RUNLEVEL5_MANDATORY_SERVICES",
"RUNLEVEL3_EXTRA_SERVICES",
"RUNLEVEL5_EXTRA_SERVICES"
"MANDATORY_SERVICES",
"EXTRA_SERVICES"
]

# Security settings locations
Expand Down Expand Up @@ -238,10 +234,8 @@ def main
# Remaining settings:
# - CONSOLE_SHUTDOWN (/etc/inittab)
# - PASSWD_ENCRYPTION (/etc/pam?)
# - RUNLEVEL3_MANDATORY_SERVICES
# - RUNLEVEL5_MANDATORY_SERVICES
# - RUNLEVEL3_EXTRA_SERVICES
# - RUNLEVEL5_EXTRA_SERVICES
# - MANDATORY_SERVICES
# - EXTRA_SERVICES

# Number of sigificant characters in the password
@PasswordMaxLengths = {
Expand Down Expand Up @@ -356,11 +350,9 @@ def Modified
def ReadServiceSettings
services = SystemdService.all.select(&:enabled?).map(&:name)
setting = MissingMandatoryServices(services) == [] ? "secure" : "insecure"
# Runlevels are not longer used, but @Settings is populated this way for
# compatibility with the current interface
@Settings["RUNLEVEL3_MANDATORY_SERVICES"] = @Settings["RUNLEVEL5_MANDATORY_SERVICES"] = setting
@Settings["MANDATORY_SERVICES"] = setting
setting = ExtraServices(services) == [] ? "secure" : "insecure"
@Settings["RUNLEVEL3_EXTRA_SERVICES"] = @Settings["RUNLEVEL5_EXTRA_SERVICES"] = setting
@Settings["EXTRA_SERVICES"] = setting

nil
end
Expand Down
28 changes: 10 additions & 18 deletions test/security_test.rb
View file
Expand Up @@ -40,44 +40,36 @@ def enabled?; true; end
context "only with mandatory services" do
let(:service_names) { %w(ntp syslog auditd random kbd cron postfix sendmail) }

it "sets settings for all runlevels to 'secure'" do
expect(Security.Settings["RUNLEVEL3_MANDATORY_SERVICES"]).to eq("secure")
expect(Security.Settings["RUNLEVEL5_MANDATORY_SERVICES"]).to eq("secure")
expect(Security.Settings["RUNLEVEL3_EXTRA_SERVICES"]).to eq("secure")
expect(Security.Settings["RUNLEVEL5_EXTRA_SERVICES"]).to eq("secure")
it "sets settings for services as 'secure'" do
expect(Security.Settings["MANDATORY_SERVICES"]).to eq("secure")
expect(Security.Settings["EXTRA_SERVICES"]).to eq("secure")
end
end

context "with mandatory and extra services" do
let(:service_names) { %w(ntp syslog auditd random kbd extra1 cron postfix sendmail) }

it "sets settings for extra services as 'insecure'" do
expect(Security.Settings["RUNLEVEL3_MANDATORY_SERVICES"]).to eq("secure")
expect(Security.Settings["RUNLEVEL5_MANDATORY_SERVICES"]).to eq("secure")
expect(Security.Settings["RUNLEVEL3_EXTRA_SERVICES"]).to eq("insecure")
expect(Security.Settings["RUNLEVEL5_EXTRA_SERVICES"]).to eq("insecure")
expect(Security.Settings["MANDATORY_SERVICES"]).to eq("secure")
expect(Security.Settings["EXTRA_SERVICES"]).to eq("insecure")
end
end

context "without all mandatory services and extra ones" do
let(:service_names) { %w(ntp syslog auditd extra1 cron postfix sendmail) }

it "sets settings for all runlevels to 'insecure'" do
expect(Security.Settings["RUNLEVEL3_MANDATORY_SERVICES"]).to eq("insecure")
expect(Security.Settings["RUNLEVEL5_MANDATORY_SERVICES"]).to eq("insecure")
expect(Security.Settings["RUNLEVEL3_EXTRA_SERVICES"]).to eq("insecure")
expect(Security.Settings["RUNLEVEL5_EXTRA_SERVICES"]).to eq("insecure")
it "sets settings for services as 'insecure'" do
expect(Security.Settings["MANDATORY_SERVICES"]).to eq("insecure")
expect(Security.Settings["EXTRA_SERVICES"]).to eq("insecure")
end
end

context "with no services" do
let(:service_names) { [] }

it "sets settings for mandatory to 'insecure'" do
expect(Security.Settings["RUNLEVEL3_MANDATORY_SERVICES"]).to eq("insecure")
expect(Security.Settings["RUNLEVEL5_MANDATORY_SERVICES"]).to eq("insecure")
expect(Security.Settings["RUNLEVEL3_EXTRA_SERVICES"]).to eq("secure")
expect(Security.Settings["RUNLEVEL5_EXTRA_SERVICES"]).to eq("secure")
expect(Security.Settings["MANDATORY_SERVICES"]).to eq("insecure")
expect(Security.Settings["EXTRA_SERVICES"]).to eq("secure")
end
end
end
Expand Down

0 comments on commit f1dd851

Please sign in to comment.