ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 8. Configuring Security Settings with YaST</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.local_security.html" title="Part II. Local Security"><link rel="prev" href="part.local_security.html" title="Part II. Local Security"><link rel="next" href="cha.security.policykit.html" title="Chapter 9. PolicyKit"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.local_security.html">Local Security</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Part II. Local Security" href="part.local_security.html"><span>◀</span></a> <a accesskey="n" title="Chapter 9. PolicyKit" href="cha.security.policykit.html"><span>▶</span></a></strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 8. Configuring Security Settings with YaST"><div class="titlepage"><div><div><h2 class="title"><a name="cha.security.yast_security"></a>Chapter 8. Configuring Security Settings with YaST<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.security.yast_security">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.security.yast_security.html#sec.security.yast_security.overview">8.1. <span class="guimenu">Security Overview</span></a></span></dt><dt><span class="sect1"><a href="cha.security.yast_security.html#sec.security.yast_security.predefined_configs">8.2. <span class="guimenu">Predefined Security Configurations</span></a></span></dt><dt><span class="sect1"><a href="cha.security.yast_security.html#sec.security.yast_security.password">8.3. <span class="guimenu">Password Settings</span></a></span></dt><dt><span class="sect1"><a href="cha.security.yast_security.html#sec.security.yast_security.boot">8.4. Boot Settings</a></span></dt><dt><span class="sect1"><a href="cha.security.yast_security.html#sec.security.yast_security.login">8.5. Login Settings</a></span></dt><dt><span class="sect1"><a href="cha.security.yast_security.html#sec.security.yast_security.user">8.6. User Addition</a></span></dt><dt><span class="sect1"><a href="cha.security.yast_security.html#sec.security.yast_security.misc">8.7. Miscellaneous Settings</a></span></dt></dl></div><div class="abstract" title="Abstract"><p class="title"><b>Abstract</b></p><p>
The YaST module <span class="guimenu">Local Security</span> offers a central
clearinghouse to configure security-related settings for openSUSE.
Use it to configure security aspects such as settings for the login
procedure and for password creation, for boot permissions, user creation
or for default file permissions. Launch it from the YaST Control Center
by <span class="guimenu">Security and Users</span>+<span class="guimenu">Local
Security</span>. The <span class="guimenu">Local Security</span>
dialog always starts with the <span class="guimenu">Security Overview</span>, and
other configuration dialogs are available from the right pane.
</p></div><div class="sect1" title="8.1. Security Overview"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.yast_security.overview"></a>8.1. <span class="guimenu">Security Overview</span><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.yast_security.overview">¶</a></span></h2></div></div></div><p>
The <span class="guimenu">Security Overview</span> displays a comprehensive list of
the most important security settings for your system. The security status
of each entry in the list is clearly visible. A green check mark
indicates a secure setting while a red cross indicates an entry as being
insecure. Clicking on <span class="guimenu">Help</span> presents an overview of the
setting and information on how to make it secure. To change a setting,
click on the corresponding link in the Status column. Depending on the
setting, the following entries are available:
</p><div class="variablelist"><dl><dt><span class="term"><span class="guimenu">Enable</span>/<span class="guimenu">Disable</span>
</span></dt><dd><p>
Clicking on this entry will toggle the status of the setting to either
enabled or disabled.
</p></dd><dt><span class="term"><span class="guimenu">Configure</span>
</span></dt><dd><p>
Clicking on this entry will launch another YaST module for
configuration. You will return to the Security Overview when leaving
the module.
</p></dd><dt><span class="term"><span class="guimenu">Unknown</span>
</span></dt><dd><p>
A setting's status is set to unknown when the associated service is
not installed. Such a setting does not represent a potential security
risk.
</p></dd></dl></div><div class="figure"><a name="fig.yast_security.overview"></a><p class="title"><b>Figure 8.1. YaST Local Security - Security Overview</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.yast_security.overview">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><img src="images/yast2_security_overview_gtk.png" alt="YaST Local Security - Security Overview"></div></div></div><br class="figure-break"></div><div class="sect1" title="8.2. Predefined Security Configurations"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.yast_security.predefined_configs"></a>8.2. <span class="guimenu">Predefined Security Configurations</span><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.yast_security.predefined_configs">¶</a></span></h2></div></div></div><p>
openSUSE comes with three predefined sets of security
configurations. These configurations affect all the settings available in
the <span class="guimenu">Local Security</span> module. Each configuration can be
modified to your needs using the dialogs available from the right pane.
Choose between the following sets:
</p><div class="variablelist"><dl><dt><span class="term"><span class="guimenu">Home Workstation</span>
</span></dt><dd><p>
This setting is designed for a computer that has no network connection
at all (including a connection to the Internet). It provides the least
secure configuration of the predefined settings.
</p></dd><dt><span class="term"><span class="guimenu">Networked Workstation</span>
</span></dt><dd><p>
A configuration for a workstation with any kind of network connection
(including a connection to the Internet).
</p></dd><dt><span class="term"><span class="guimenu">Network Server</span>
</span></dt><dd><p>
Security settings designed for a machine providing network services
such as a web server, file server, name server, etc. This set provides
the most secure configuration of the predefined settings.
</p></dd><dt><span class="term"><span class="guimenu">Custom Settings</span>
</span></dt><dd><p>
A pre-selected <span class="guimenu">Custom Settings</span> (when opening the
<span class="guimenu">Predefined Security Configurations</span> dialog)
indicates that one of the predefined sets has been modified. Actively
choosing this option does not change the current configuration - you
will have to change it using the <span class="guimenu">Security Overview</span>.
</p></dd></dl></div></div><div class="sect1" title="8.3. Password Settings"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.yast_security.password"></a>8.3. <span class="guimenu">Password Settings</span><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.yast_security.password">¶</a></span></h2></div></div></div><p>
Passwords that are easy to guess are a major security issue. The
<span class="guimenu">Password Settings</span> dialog provides the means to ensure
that only secure passwords can be used.
</p><div class="variablelist"><dl><dt><span class="term"><span class="guimenu">Check New Passwords</span>
</span></dt><dd><p>
By activating this option, a warning will be issued if new passwords
appear in a dictionary, or if they are proper names (proper nouns). In
order to also check for a minimum length, enter the desired length
into the field <span class="guimenu">Minimum Acceptable Password Length</span>
after having activated <span class="guimenu">Check New Passwords</span>.
</p></dd><dt><span class="term">Number of Passwords to Remember</span></dt><dd><p>
When password expiration is activated (via Password Age), this setting
stores the given number of a user's previous passwords, preventing
their reuse.
</p></dd><dt><span class="term">Password Encryption Method</span></dt><dd><p>
Choose a password encryption algorithm. Normally there is no need to
change the default (Blowfish).
</p></dd><dt><span class="term">Password Age</span></dt><dd><p>
Activate password expiration by specifying a minimum and a maximum
time limit (in days). By setting the minimum age to a value greater
than <code class="literal">0</code> days, you can prevent users from immediately
changing their passwords again (and in doing so circumventing the
password expiration). Use the values <code class="literal">0</code> and
<code class="literal">99999</code> to deactivate password expiration.
</p></dd><dt><span class="term">Days Before Password Expires Warning</span></dt><dd><p>
When a password expires, the user receives a warning in advance.
Specify the number of days prior to the expiration date that the
warning should be issued.
</p></dd></dl></div></div><div class="sect1" title="8.4. Boot Settings"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.yast_security.boot"></a>8.4. Boot Settings<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.yast_security.boot">¶</a></span></h2></div></div></div><p>
Configure which users will be able to shutdown the machine via the
graphical login manager in this dialog. You can also specify how
<span class="keycap">Ctrl</span>+<span class="keycap">Alt</span>+<span class="keycap">Del</span> will be interpreted.
</p></div><div class="sect1" title="8.5. Login Settings"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.yast_security.login"></a>8.5. Login Settings<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.yast_security.login">¶</a></span></h2></div></div></div><p>
This dialog lets you configure security-related login settings:
</p><div class="variablelist"><dl><dt><span class="term">Delay after Incorrect Login Attempt</span></dt><dd><p>
In order to make it difficult to guess a user's password by repeatedly
logging in, it is recommended to delay the display of the login prompt
that follows an incorrect login. Specify the value in seconds. Make
sure that users who have mistyped their passwords do not need to wait
too long.
</p></dd><dt><span class="term">Record Successful Login Attempts</span></dt><dd><p>
With this option turned on, the last successful login attempt is
recorded in <code class="filename">/var/log/lastlog</code> and displayed when
logging in. This data is also used by the command
<span class="command"><strong>finger</strong></span>.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left"></th></tr><tr><td colspan="2" align="left" valign="top"><p>
Note that logging to <code class="filename">/var/log/wtmp</code> is not
affected by this option. This file collects login dates, login times
and reboot dates. The content of <code class="filename">/var/log/wtmp</code>
can be displayed by using the command <span class="command"><strong>last</strong></span>.
</p></td></tr></table></div></dd><dt><span class="term">Allow Remote Graphical Login</span></dt><dd><p>
When checked, the graphical login manager (e.g. gdm or kdm) can be
accessed from the network. This is a potential security risk.
</p></dd></dl></div></div><div class="sect1" title="8.6. User Addition"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.yast_security.user"></a>8.6. User Addition<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.yast_security.user">¶</a></span></h2></div></div></div><p>
Set minimum and maximum values for user and group IDs. These default
settings would rarely need to be changed.
</p></div><div class="sect1" title="8.7. Miscellaneous Settings"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.yast_security.misc"></a>8.7. Miscellaneous Settings<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.yast_security.misc">¶</a></span></h2></div></div></div><p>
Other security settings that don't fit the above-mentioned categories are
listed here:
</p><div class="variablelist"><dl><dt><span class="term">File Permissions</span></dt><dd><p>
openSUSE comes with three predefined sets of file permissions for
system files. These permission sets define whether a regular user may
read log files or start certain programs. <span class="guimenu">Easy</span> file
permissions are suitable for standalone machines. This settings allows
regular users, for example, to read most system files. See the file
<code class="filename">/etc/permissions.easy</code> for the complete
configuration. The <span class="guimenu">Secure</span> file permissions are
designed for multi-user machines with network access. A thorough
explanation of these settings can be found in
<code class="filename">/etc/permissions.secure</code>. The
<span class="guimenu">Paranoid</span> settings are the most restrictive ones and
should be used with care. See
<code class="filename">/etc/permissions.paranoid</code> for more information.
</p></dd><dt><span class="term">User Launching updatedb</span></dt><dd><p>
The program <span class="command"><strong>updatedb</strong></span> scans the system and creates a
database of all file locations which can be queried with the command
<span class="command"><strong>locate</strong></span>. When <span class="command"><strong>updatedb</strong></span> is run as
user nobody, only world-readable files will be added to the database.
When run as user <code class="systemitem">root</code>, almost all files (except the ones root is
not allowed to read) will be added.
</p></dd><dt><span class="term"><span class="guimenu">Current Directory in root's Path</span> /
<span class="guimenu">Current Directory in Path of Regular Users</span>
</span></dt><dd><p>
Whenever a program is called without specifying the full path to the
executable, the system looks in the user's search path (defined by the
variable <code class="envar">$PATH</code>) for the executable. By default the
current directory is not added to the search path. This setting
ensures that, for example, <code class="filename">/bin/ls</code> and not the
trojan horse <code class="filename">/<em class="replaceable"><code>current
directory</code></em>/ls</code> is executed when entering
<span class="command"><strong>ls</strong></span>. In order to start a program in the current
directory the command must be prefixed with <code class="filename">./</code>.
When activating these options, the current directory
(<code class="filename">.</code>) is appended to the search path. It is
recommended you not change the default.
</p></dd><dt><span class="term"><span class="guimenu">Enable Magic SysRq Keys</span>
</span></dt><dd><p>
The magic SysRq key is a keycombo that enables you to have some
control over the system even when it has crashed. The complete
documentation can be found at
<code class="filename">/usr/src/linux/Documentation/sysrq.txt</code> (requires
installation of the <code class="systemitem">kernel-source</code> package).
</p></dd></dl></div></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.local_security.html">Local Security</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Part II. Local Security" href="part.local_security.html"><span>◀</span></a> <a accesskey="n" title="Chapter 9. PolicyKit" href="cha.security.policykit.html"><span>▶</span></a></strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018