Chapter 8. Configuring Security Settings with YaST

Contents

8.1. Security Overview
8.2. Predefined Security Configurations
8.3. Password Settings
8.4. Boot Settings
8.5. Login Settings
8.6. User Addition
8.7. Miscellaneous Settings

The YaST module Local Security offers a central clearinghouse to configure security-related settings for openSUSE. Use it to configure security aspects such as settings for the login procedure and for password creation, for boot permissions, user creation or for default file permissions. Launch it from the YaST Control Center by Security and Users+Local Security. The Local Security dialog always starts with the Security Overview, and other configuration dialogs are available from the right pane.

8.1. Security Overview

The Security Overview displays a comprehensive list of the most important security settings for your system. The security status of each entry in the list is clearly visible. A green check mark indicates a secure setting while a red cross indicates an entry as being insecure. Clicking on Help presents an overview of the setting and information on how to make it secure. To change a setting, click on the corresponding link in the Status column. Depending on the setting, the following entries are available:

Enable/Disable

Clicking on this entry will toggle the status of the setting to either enabled or disabled.

Configure

Clicking on this entry will launch another YaST module for configuration. You will return to the Security Overview when leaving the module.

Unknown

A setting's status is set to unknown when the associated service is not installed. Such a setting does not represent a potential security risk.

Figure 8.1. YaST Local Security - Security Overview

YaST Local Security - Security Overview

8.2. Predefined Security Configurations

openSUSE comes with three predefined sets of security configurations. These configurations affect all the settings available in the Local Security module. Each configuration can be modified to your needs using the dialogs available from the right pane. Choose between the following sets:

Home Workstation

This setting is designed for a computer that has no network connection at all (including a connection to the Internet). It provides the least secure configuration of the predefined settings.

Networked Workstation

A configuration for a workstation with any kind of network connection (including a connection to the Internet).

Network Server

Security settings designed for a machine providing network services such as a web server, file server, name server, etc. This set provides the most secure configuration of the predefined settings.

Custom Settings

A pre-selected Custom Settings (when opening the Predefined Security Configurations dialog) indicates that one of the predefined sets has been modified. Actively choosing this option does not change the current configuration - you will have to change it using the Security Overview.

8.3. Password Settings

Passwords that are easy to guess are a major security issue. The Password Settings dialog provides the means to ensure that only secure passwords can be used.

Check New Passwords

By activating this option, a warning will be issued if new passwords appear in a dictionary, or if they are proper names (proper nouns). In order to also check for a minimum length, enter the desired length into the field Minimum Acceptable Password Length after having activated Check New Passwords.

Number of Passwords to Remember

When password expiration is activated (via Password Age), this setting stores the given number of a user's previous passwords, preventing their reuse.

Password Encryption Method

Choose a password encryption algorithm. Normally there is no need to change the default (Blowfish).

Password Age

Activate password expiration by specifying a minimum and a maximum time limit (in days). By setting the minimum age to a value greater than 0 days, you can prevent users from immediately changing their passwords again (and in doing so circumventing the password expiration). Use the values 0 and 99999 to deactivate password expiration.

Days Before Password Expires Warning

When a password expires, the user receives a warning in advance. Specify the number of days prior to the expiration date that the warning should be issued.

8.4. Boot Settings

Configure which users will be able to shutdown the machine via the graphical login manager in this dialog. You can also specify how ++ will be interpreted.

8.5. Login Settings

This dialog lets you configure security-related login settings:

Delay after Incorrect Login Attempt

In order to make it difficult to guess a user's password by repeatedly logging in, it is recommended to delay the display of the login prompt that follows an incorrect login. Specify the value in seconds. Make sure that users who have mistyped their passwords do not need to wait too long.

Record Successful Login Attempts

With this option turned on, the last successful login attempt is recorded in /var/log/lastlog and displayed when logging in. This data is also used by the command finger.

[Note]

Note that logging to /var/log/wtmp is not affected by this option. This file collects login dates, login times and reboot dates. The content of /var/log/wtmp can be displayed by using the command last.

Allow Remote Graphical Login

When checked, the graphical login manager (e.g. gdm or kdm) can be accessed from the network. This is a potential security risk.

8.6. User Addition

Set minimum and maximum values for user and group IDs. These default settings would rarely need to be changed.

8.7. Miscellaneous Settings

Other security settings that don't fit the above-mentioned categories are listed here:

File Permissions

openSUSE comes with three predefined sets of file permissions for system files. These permission sets define whether a regular user may read log files or start certain programs. Easy file permissions are suitable for standalone machines. This settings allows regular users, for example, to read most system files. See the file /etc/permissions.easy for the complete configuration. The Secure file permissions are designed for multi-user machines with network access. A thorough explanation of these settings can be found in /etc/permissions.secure. The Paranoid settings are the most restrictive ones and should be used with care. See /etc/permissions.paranoid for more information.

User Launching updatedb

The program updatedb scans the system and creates a database of all file locations which can be queried with the command locate. When updatedb is run as user nobody, only world-readable files will be added to the database. When run as user root, almost all files (except the ones root is not allowed to read) will be added.

Current Directory in root's Path / Current Directory in Path of Regular Users

Whenever a program is called without specifying the full path to the executable, the system looks in the user's search path (defined by the variable $PATH) for the executable. By default the current directory is not added to the search path. This setting ensures that, for example, /bin/ls and not the trojan horse /current directory/ls is executed when entering ls. In order to start a program in the current directory the command must be prefixed with ./. When activating these options, the current directory (.) is appended to the search path. It is recommended you not change the default.

Enable Magic SysRq Keys

The magic SysRq key is a keycombo that enables you to have some control over the system even when it has crashed. The complete documentation can be found at /usr/src/linux/Documentation/sysrq.txt (requires installation of the kernel-source package).