Hello community, here is the log from the commit of package yast2-security for openSUSE:Factory checked in at 2015-06-18 06:37:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-security (Old) and /work/SRC/openSUSE:Factory/.yast2-security.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-security" Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-security/yast2-security.changes 2015-01-21 21:56:17.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.yast2-security.new/yast2-security.changes 2015-06-18 06:37:10.000000000 +0200 @@ -1,0 +2,20 @@ +Mon Jun 15 15:22:38 UTC 2015 - [email protected] + +- Updated list of mandatory and optional services (part of + fate#318425) +- 3.1.9 + +------------------------------------------------------------------- +Fri Jun 12 16:27:53 UTC 2015 - [email protected] + +- When checking services, systemd aliases are now taken into + account (so, for example, rsyslog is accounted as syslog). + +------------------------------------------------------------------- +Thu Jun 11 16:00:10 UTC 2015 - [email protected] + +- Removed references to runlevels (obsolete). Only current systemd + target is analyzed. +- List of mandatory and optional services moved to a YAML file. + +------------------------------------------------------------------- Old: ---- yast2-security-3.1.8.tar.bz2 New: ---- yast2-security-3.1.9.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-security.spec ++++++ --- /var/tmp/diff_new_pack.BOHK0u/_old 2015-06-18 06:37:11.000000000 +0200 +++ /var/tmp/diff_new_pack.BOHK0u/_new 2015-06-18 06:37:11.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package yast2-security # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: yast2-security -Version: 3.1.8 +Version: 3.1.9 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -30,13 +30,16 @@ BuildRequires: yast2-devtools >= 3.1.10 BuildRequires: yast2-pam BuildRequires: yast2-testsuite +# Directory.find_data_file +BuildRequires: yast2 >= yast2-3.1.131 # new Pam.ycp API Requires: yast2-pam >= 2.14.0 # etc_sysctl_conf.scr # Wizard::SetDesktopTitleAndIcon -Requires: yast2 >= yast2-2.21.22 +# Directory.find_data_file +Requires: yast2 >= yast2-3.1.131 Provides: y2c_sec Provides: yast2-config-security @@ -82,6 +85,7 @@ %{yast_moduledir}/Security.rb %{yast_scrconfdir}/*.scr %{yast_schemadir}/autoyast/rnc/security.rnc +%{yast_ydatadir}/security %doc %{yast_docdir} %changelog ++++++ yast2-security-3.1.8.tar.bz2 -> yast2-security-3.1.9.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.8/CONTRIBUTING.md new/yast2-security-3.1.9/CONTRIBUTING.md --- old/yast2-security-3.1.8/CONTRIBUTING.md 2015-01-13 18:06:10.000000000 +0100 +++ new/yast2-security-3.1.9/CONTRIBUTING.md 2015-06-15 17:36:09.000000000 +0200 @@ -12,13 +12,13 @@ ----------- If you find a problem, please report it either using -[Bugzilla](https://bugzilla.novell.com/enter_bug.cgi?format=guided&product=openSUSE+Factory&component=YaST2) +[Bugzilla](https://bugzilla.suse.com/enter_bug.cgi?format=guided&product=openSUSE+Factory&component=YaST2) or [GitHub issues](../../issues). (For Bugzilla, use the [simplified registration](https://secure-www.novell.com/selfreg/jsp/createSimpleAccount.jsp) if you don't have an account yet.) If you find a problem, please report it either using -[Bugzilla](https://bugzilla.novell.com/) or GitHub issues. We can't guarantee +[Bugzilla](https://bugzilla.suse.com/) or GitHub issues. We can't guarantee that every bug will be fixed, but we'll try. When creating a bug report, please follow our [bug reporting @@ -71,7 +71,7 @@ [widely used conventions](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html). -If your commit is related to a bug in Buzgilla or an issue on GitHub, make sure +If your commit is related to a bug in Bugzilla or an issue on GitHub, make sure you mention it in the commit message for cross-reference. Use format like bnc#775814 or gh#yast/yast-foo#42. See also [GitHub autolinking](https://help.github.com/articles/github-flavored-markdown#references) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.8/package/yast2-security.changes new/yast2-security-3.1.9/package/yast2-security.changes --- old/yast2-security-3.1.8/package/yast2-security.changes 2015-01-13 18:06:10.000000000 +0100 +++ new/yast2-security-3.1.9/package/yast2-security.changes 2015-06-15 17:36:09.000000000 +0200 @@ -1,4 +1,24 @@ ------------------------------------------------------------------- +Mon Jun 15 15:22:38 UTC 2015 - [email protected] + +- Updated list of mandatory and optional services (part of + fate#318425) +- 3.1.9 + +------------------------------------------------------------------- +Fri Jun 12 16:27:53 UTC 2015 - [email protected] + +- When checking services, systemd aliases are now taken into + account (so, for example, rsyslog is accounted as syslog). + +------------------------------------------------------------------- +Thu Jun 11 16:00:10 UTC 2015 - [email protected] + +- Removed references to runlevels (obsolete). Only current systemd + target is analyzed. +- List of mandatory and optional services moved to a YAML file. + +------------------------------------------------------------------- Tue Jan 13 13:24:28 UTC 2015 - [email protected] - Fixed an error setting the shutdown behaviour of KDM (bnc#907907) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.8/package/yast2-security.spec new/yast2-security-3.1.9/package/yast2-security.spec --- old/yast2-security-3.1.8/package/yast2-security.spec 2015-01-13 18:06:10.000000000 +0100 +++ new/yast2-security-3.1.9/package/yast2-security.spec 2015-06-15 17:36:09.000000000 +0200 @@ -17,7 +17,7 @@ Name: yast2-security -Version: 3.1.8 +Version: 3.1.9 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -27,13 +27,16 @@ License: GPL-2.0 BuildRequires: doxygen pkg-config perl-XML-Writer update-desktop-files yast2-pam yast2-testsuite BuildRequires: yast2-devtools >= 3.1.10 +# Directory.find_data_file +BuildRequires: yast2 >= yast2-3.1.131 # new Pam.ycp API Requires: yast2-pam >= 2.14.0 # etc_sysctl_conf.scr # Wizard::SetDesktopTitleAndIcon -Requires: yast2 >= yast2-2.21.22 +# Directory.find_data_file +Requires: yast2 >= yast2-3.1.131 Provides: y2c_sec yast2-config-security Obsoletes: y2c_sec yast2-config-security @@ -74,4 +77,5 @@ %{yast_moduledir}/Security.rb %{yast_scrconfdir}/*.scr %{yast_schemadir}/autoyast/rnc/security.rnc +%{yast_ydatadir}/security %doc %{yast_docdir} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.8/src/Makefile.am new/yast2-security-3.1.9/src/Makefile.am --- old/yast2-security-3.1.8/src/Makefile.am 2015-01-13 18:06:10.000000000 +0100 +++ new/yast2-security-3.1.9/src/Makefile.am 2015-06-15 17:36:09.000000000 +0200 @@ -28,9 +28,13 @@ scrconf/etc_polkit-default-privs_local.scr \ scrconf/kde4_kdmrc.scr +ydatadir = @ydatadir@/security +ydata_DATA = \ + data/security/services.yml + desktop_DATA = \ desktop/security.desktop -EXTRA_DIST = $(module_DATA) $(client_DATA) $(ynclude_DATA) $(schemafiles_DATA) $(scrconf_DATA) $(desktop_DATA) +EXTRA_DIST = $(module_DATA) $(client_DATA) $(ynclude_DATA) $(schemafiles_DATA) $(scrconf_DATA) $(ydata_DATA) $(desktop_DATA) include $(top_srcdir)/Makefile.am.common diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.8/src/data/security/services.yml new/yast2-security-3.1.9/src/data/security/services.yml --- old/yast2-security-3.1.8/src/data/security/services.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-security-3.1.9/src/data/security/services.yml 2015-06-15 17:36:09.000000000 +0200 @@ -0,0 +1,60 @@ +# services to check by the security module +# Right now, they do not depend on the security level (a.k.a. security settings) + +# Array containing services that must be running. Each entry can be: +# - the name of a service (it must be running) +# - a nested array with a list of alternative service names (at least one of +# them must be running) +--- +mandatory_services: + - apparmor + - auditd + - - firewalld + - shorewall + - SuSEfirewall2 + - - NetworkManager + - wicked + +# Array containing services that are considered harmless (it's ok if they are +# running) +optional_services: + - acpid + - autofs + - bluetooth + - console-kit-daemon + - cron + - dbus + - display-manager + - getty@tty1 + - haveged + - isdn + - klog + - libvirtd + - mcelog + - nscd + - ntpd + - polkitd + - postfix + - ModemManager + - NetworkManager-dispatcher + - NetworkManager-wait-online + - random + - sendmail + - smartd + - sshd + - syslog + - systemd-dmevented + - systemd-journal-flush + - systemd-journald + - systemd-logind + - systemd-udevd + - wickedd + - wickedd-auto4 + - wickedd-dhcp4 + - wickedd-dhcp6 + - wickedd-nanny + - wpa_supplicant + - xend + - xendomains + - YaST2-Firstboot + - YaST2-Second-Stage diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.8/src/include/security/dialogs.rb new/yast2-security-3.1.9/src/include/security/dialogs.rb --- old/yast2-security-3.1.8/src/include/security/dialogs.rb 2015-01-13 18:06:10.000000000 +0100 +++ new/yast2-security-3.1.9/src/include/security/dialogs.rb 2015-06-15 17:36:09.000000000 +0200 @@ -34,6 +34,7 @@ Yast.import "Label" Yast.import "Popup" + Yast.import "Message" Yast.import "Security" Yast.import "Wizard" @@ -53,10 +54,8 @@ @configurable_options = [ "PERMISSION_SECURITY", - "RUNLEVEL3_MANDATORY_SERVICES", - "RUNLEVEL5_MANDATORY_SERVICES", - "RUNLEVEL3_EXTRA_SERVICES", - "RUNLEVEL5_EXTRA_SERVICES", + "MANDATORY_SERVICES", + "EXTRA_SERVICES", "kernel.sysrq" ] @@ -102,17 +101,11 @@ ), "net.ipv4.ip_forward" => _("IPv4 forwarding"), "net.ipv6.conf.all.forwarding" => _("IPv6 forwarding"), - "RUNLEVEL3_MANDATORY_SERVICES" => _( - "Enable basic system services in runlevel 3\n (multiuser with network)" + "MANDATORY_SERVICES" => _( + "Enable basic system services" ), - "RUNLEVEL5_MANDATORY_SERVICES" => _( - "Enable basic system services in runlevel 5\n (multiuser with network and graphical login)" - ), - "RUNLEVEL3_EXTRA_SERVICES" => _( - "Enable extra services in runlevel 3" - ), - "RUNLEVEL5_EXTRA_SERVICES" => _( - "Enable extra services in runlevel 5" + "EXTRA_SERVICES" => _( + "Disable extra services" ) } @@ -135,17 +128,13 @@ # mapping for "Configure" links # config name -> yast client @link_client_mapping = { - "RUNLEVEL3_MANDATORY_SERVICES" => "runlevel", - "RUNLEVEL5_MANDATORY_SERVICES" => "runlevel", - "RUNLEVEL3_EXTRA_SERVICES" => "runlevel", - "RUNLEVEL5_EXTRA_SERVICES" => "runlevel" + "MANDATORY_SERVICES" => "services-manager", + "EXTRA_SERVICES" => "services-manager" } @link_update_mapping = { - "RUNLEVEL3_MANDATORY_SERVICES" => lambda { Security.ReadServiceSettings }, - "RUNLEVEL5_MANDATORY_SERVICES" => lambda { Security.ReadServiceSettings }, - "RUNLEVEL3_EXTRA_SERVICES" => lambda { Security.ReadServiceSettings }, - "RUNLEVEL5_EXTRA_SERVICES" => lambda { Security.ReadServiceSettings } + "MANDATORY_SERVICES" => lambda { Security.ReadServiceSettings }, + "EXTRA_SERVICES" => lambda { Security.ReadServiceSettings } } end @@ -285,36 +274,12 @@ ) == "0" }, { - "id" => "RUNLEVEL3_MANDATORY_SERVICES", - "is_secure" => Ops.get( - Security.Settings, - "RUNLEVEL3_MANDATORY_SERVICES", - "" - ) == "secure" - }, - { - "id" => "RUNLEVEL5_MANDATORY_SERVICES", - "is_secure" => Ops.get( - Security.Settings, - "RUNLEVEL5_MANDATORY_SERVICES", - "" - ) == "secure" - }, - { - "id" => "RUNLEVEL3_EXTRA_SERVICES", - "is_secure" => Ops.get( - Security.Settings, - "RUNLEVEL3_EXTRA_SERVICES", - "" - ) == "secure" + "id" => "MANDATORY_SERVICES", + "is_secure" => Security.Settings["MANDATORY_SERVICES"] == "secure" }, { - "id" => "RUNLEVEL5_EXTRA_SERVICES", - "is_secure" => Ops.get( - Security.Settings, - "RUNLEVEL5_EXTRA_SERVICES", - "" - ) == "secure" + "id" => "EXTRA_SERVICES", + "is_secure" => Security.Settings["EXTRA_SERVICES"] == "secure" } ] @@ -384,11 +349,7 @@ end # add extra help to service related options - if help_id == "RUNLEVEL3_MANDATORY_SERVICES" || - help_id == "RUNLEVEL5_MANDATORY_SERVICES" - # TODO: runlevel is not longer needed, but we are in 'text freeze phase' - runlevel = help_id == "RUNLEVEL3_MANDATORY_SERVICES" ? 3 : 5 - + if help_id == "MANDATORY_SERVICES" missing = Security.MissingMandatoryServices if missing != nil && missing != [] @@ -403,48 +364,21 @@ # richtext message: %1 = runlevel ("3" or "5"), %2 = list of services - help = Ops.add( - help, - Builtins.sformat( - _( - "<P>These basic system services are not enabled in runlevel %1:<BR><B>%2</B></P>" - ), - runlevel, - srvs - ) - ) + help += + _("<P>These basic system services are not enabled:<BR><B>%s</B></P>") % srvs else - help = Ops.add(help, _("<P>All basic services are enabled.</P>")) + help += _("<P>All basic services are enabled.</P>") end - elsif help_id == "RUNLEVEL3_EXTRA_SERVICES" || - help_id == "RUNLEVEL5_EXTRA_SERVICES" - # TODO: runlevel is not longer needed (read above) - runlevel = help_id == "RUNLEVEL3_EXTRA_SERVICES" ? 3 : 5 + elsif help_id == "EXTRA_SERVICES" extra = Security.ExtraServices if extra != nil && extra != [] srvs = Builtins.mergestring(extra, "<BR>") - help = Ops.add( - help, - Builtins.sformat( - _( - "<P>These extra services are enabled in runlevel %1:<BR><B>%2</B></P>" - ), - runlevel, - srvs - ) - ) - help = Ops.add( - help, - _( - "<P>Check the list of services and disable all unused services.</P>" - ) - ) + help += + _("<P>These extra services are enabled:<BR><B>%s</B></P>") % srvs + help += _("<P>Check the list of services and disable all unused services.</P>") else - help = Ops.add( - help, - _("<P>Only basic system services are enabled.</P>") - ) + help += _("<P>Only basic system services are enabled.</P>") end end @@ -581,10 +515,12 @@ Builtins.y2milestone("Client returned %1", client_ret) if client_ret == :next || client_ret == :ok || - client_ret == :finish + client_ret == :finish || client_ret == true # update the current value - if Builtins.haskey(@link_update_mapping, ret) - Builtins.eval(Ops.get(@link_update_mapping, ret)) + if @link_update_mapping.has_key?(ret) + Popup.Feedback(_("Analyzing system"), Message.takes_a_while) do + @link_update_mapping[ret].call + end end # update the overview diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.8/src/include/security/helps.rb new/yast2-security-3.1.9/src/include/security/helps.rb --- old/yast2-security-3.1.8/src/include/security/helps.rb 2015-01-13 18:06:10.000000000 +0100 +++ new/yast2-security-3.1.9/src/include/security/helps.rb 2015-06-15 17:36:09.000000000 +0200 @@ -346,16 +346,10 @@ "PERMISSION_SECURITY" => _( "<P>There are predefined file permissions in /etc/permissions.* files. The most restrictive file permissions are defined 'secure' or 'paranoid' file.</P>" ), - "RUNLEVEL3_MANDATORY_SERVICES" => _( + "MANDATORY_SERVICES" => _( "<P>Basic system services must be enabled to provide system consistency and to run the security-related services.</P>" ), - "RUNLEVEL5_MANDATORY_SERVICES" => _( - "<P>Basic system services must be enabled to provide system consistency and to run the security-related services.</P>" - ), - "RUNLEVEL3_EXTRA_SERVICES" => _( - "<P>Every running service is a potential target of a security attack. Therefore it is recommended to turn off all services which are not used by the system.</P>" - ), - "RUNLEVEL5_EXTRA_SERVICES" => _( + "EXTRA_SERVICES" => _( "<P>Every running service is a potential target of a security attack. Therefore it is recommended to turn off all services which are not used by the system.</P>" ) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.8/src/modules/Security.rb new/yast2-security-3.1.9/src/modules/Security.rb --- old/yast2-security-3.1.8/src/modules/Security.rb 2015-01-13 18:06:10.000000000 +0100 +++ new/yast2-security-3.1.9/src/modules/Security.rb 2015-06-15 17:36:09.000000000 +0200 @@ -26,6 +26,7 @@ # # $Id$ require "yast" +require "yaml" module Yast class SecurityClass < Module @@ -40,64 +41,26 @@ Yast.import "Package" Yast.import "Pam" Yast.import "Progress" + Yast.import "Service" Yast.import "SystemdService" + Yast.import "Directory" Yast.include self, "security/levels.rb" - # services to check - these must be running - # meaning [ [ || ] && && ] - @mandatory_services = [ - ["ntp"], - ["syslog"], - ["auditd"], - ["random"], - ["kbd"], - ["cron"], - ["postfix", "sendmail"] - ] - # sevices to check - these can be ignored (if they are running it's OK) - @optional_services = [ - "acpid", - "boot.clock", - "dbus", - "ealysyslog", - "fbset", - "framebufferset", - "isdn", - "microcode.ctl", - "random", - "consolekit", - "haldaemon", - "network", - "syslog", - "auditd", - "splash_early", - "alsasound", - "irq_balancer", - "kbd", - "powersaved", - "splash", - "sshd", - "earlyxdm", - "hotkey-setup", - "atd", - "nscd", - "smpppd", - "xend", - "autofs", - "libvirtd", - "sendmail", - "postfix", - "xendomains", - "cron", - "ddclient", - "smartd", - "stopblktrace", - "ntp", - "SuSEfirewall", - "earlysyslog" - ] + # Services to check + srv_file = Directory.find_data_file("security/services.yml") + if srv_file + srv_lists = YAML.load_file(srv_file) rescue {} + else + srv_lists = {} + end + # These must be running + @mandatory_services = srv_lists["mandatory_services"] || [] + # It must be an array of arrays (meaning [ [ || ] && && ]) + @mandatory_services.map! {|s| s.is_a?(::String) ? [s] : s } + # These can be ignored (if they are running it's OK) + @optional_services = srv_lists["optional_services"] || [] # All other services should be turned off # systemd target, defining ctrl-alt-del behavior @@ -145,22 +108,23 @@ "DISPLAYMANAGER_ROOT_LOGIN_REMOTE" => "no", "DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN" => "no", "SMTPD_LISTEN_REMOTE" => "no", - "RUNLEVEL3_MANDATORY_SERVICES" => "yes", - "RUNLEVEL5_MANDATORY_SERVICES" => "yes", - "RUNLEVEL3_EXTRA_SERVICES" => "no", - "RUNLEVEL5_EXTRA_SERVICES" => "no" + "MANDATORY_SERVICES" => "yes", + "EXTRA_SERVICES" => "no" } + # List of missing mandatory services + @missing_mandatory_services = [] + # List of enabled services not included in mandatory or optional lists + @extra_services = [] + # the original settings @Settings_bak = deep_copy(@Settings) # keys that should not be tested against predefined levels: - # - RUNLEVEL*_SERVICES have different syntax, are not saved in current form + # - *_SERVICES have different syntax, are not saved in current form @do_not_test = [ - "RUNLEVEL3_MANDATORY_SERVICES", - "RUNLEVEL5_MANDATORY_SERVICES", - "RUNLEVEL3_EXTRA_SERVICES", - "RUNLEVEL5_EXTRA_SERVICES" + "MANDATORY_SERVICES", + "EXTRA_SERVICES" ] # Security settings locations @@ -238,10 +202,8 @@ # Remaining settings: # - CONSOLE_SHUTDOWN (/etc/inittab) # - PASSWD_ENCRYPTION (/etc/pam?) - # - RUNLEVEL3_MANDATORY_SERVICES - # - RUNLEVEL5_MANDATORY_SERVICES - # - RUNLEVEL3_EXTRA_SERVICES - # - RUNLEVEL5_EXTRA_SERVICES + # - MANDATORY_SERVICES + # - EXTRA_SERVICES # Number of sigificant characters in the password @PasswordMaxLengths = { @@ -275,48 +237,13 @@ end # List of missing mandatory services - # - # @param [Array<String>] enabled_services optional list with names of the - # currently enabled services. If not provided, it will be obtained - # from SystemdService. - def MissingMandatoryServices(enabled_services = nil) - log.info("Checking mandatory services") - - enabled_services ||= SystemdService.all.select(&:enabled?).map(&:name) - log.info("enabled_services: #{enabled_services}") - return nil if enabled_services.nil? - - ret = @mandatory_services.select do |services| - enabled = services.any? { |service| enabled_services.include?(service) } - log.info("Mandatory services #{services} are enabled: #{enabled}") - !enabled - end - - log.info("Missing mandatory services: #{ret}") - deep_copy(ret) + def MissingMandatoryServices + @missing_mandatory_services end # List of enabled services that are neither mandatory nor optional - # - # @param [Array<String>] enabled_services optional list with names of the - # currently enabled services. If not provided, it will be obtained - # from SystemdService. - def ExtraServices(enabled_services = nil) - log.info("Searching for extra services") - - enabled_services ||= SystemdService.all.select(&:enabled?).map(&:name) - return nil if enabled_services == nil - - mandatory = @mandatory_services.flatten - ret = enabled_services.select do |service| - # the extra service is not mandatory and it's not optional - extra = !mandatory.include?(service) && !@optional_services.include?(service) - log.info("Found extra service: #{service}") if extra - extra - end - log.info("All extra services: #{ret}") - - deep_copy(ret) + def ExtraServices + @extra_services end # Check for pending Abort press @@ -354,13 +281,12 @@ end def ReadServiceSettings - services = SystemdService.all.select(&:enabled?).map(&:name) - setting = MissingMandatoryServices(services) == [] ? "secure" : "insecure" - # Runlevels are not longer used, but @Settings is populated this way for - # compatibility with the current interface - @Settings["RUNLEVEL3_MANDATORY_SERVICES"] = @Settings["RUNLEVEL5_MANDATORY_SERVICES"] = setting - setting = ExtraServices(services) == [] ? "secure" : "insecure" - @Settings["RUNLEVEL3_EXTRA_SERVICES"] = @Settings["RUNLEVEL5_EXTRA_SERVICES"] = setting + read_missing_mandatory_services + setting = MissingMandatoryServices() == [] ? "secure" : "insecure" + @Settings["MANDATORY_SERVICES"] = setting + read_extra_services + setting = ExtraServices() == [] ? "secure" : "insecure" + @Settings["EXTRA_SERVICES"] = setting nil end @@ -904,6 +830,65 @@ publish :function => :Export, :type => "map ()" publish :function => :Summary, :type => "list ()" publish :function => :Overview, :type => "list ()" + + protected + + # Sets @missing_mandatory_services honoring the systemd aliases + def read_missing_mandatory_services + log.info("Checking mandatory services") + + @missing_mandatory_services = @mandatory_services.reject do |services| + enabled = services.any? { |service| Service.enabled?(service) } + log.info("Mandatory services #{services} are enabled: #{enabled}") + enabled + end + + log.info("Missing mandatory services: #{@missing_mandatory_services}") + end + + # Sets @extra_services honoring the systemd aliases + def read_extra_services + log.info("Searching for extra services") + + enabled_services = SystemdService.all(names: "Names").select(&:enabled?) + # Remove from the list the services that are allowed + @extra_services = enabled_services.reject do |service| + allowed = allowed_service?(service.name) + # If the name is not allowed, try the aliases + if !allowed + names = alias_names(service) + allowed = names && names.any? { |name| allowed_service?(name) } + end + log.info("Found extra service: #{service.name}") unless allowed + allowed + end + @extra_services.map!(&:name) + log.info("All extra services: #{@extra_services}") + end + end + + # Checks if the service is allowed (i.e. not considered 'extra') + # + # @return [Boolean] true whether the service is expected (mandatory or optional) + def allowed_service?(name) + all_mandatory_services.include?(name) || @optional_services.include?(name) + end + + # Flat list of mandatory services + def all_mandatory_services + @all_mandatory_services ||= @mandatory_services.flatten + end + + # List of aliases of the service + # + # @return [Array<String>] alias names excluding '.service' + def alias_names(service) + names = service.properties.names + if names + names.split.map {|name| name.sub(/\.service$/, "") } + else + nil + end end Security = SecurityClass.new diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.8/test/security_test.rb new/yast2-security-3.1.9/test/security_test.rb --- old/yast2-security-3.1.8/test/security_test.rb 2015-01-13 18:06:10.000000000 +0100 +++ new/yast2-security-3.1.9/test/security_test.rb 2015-06-15 17:36:09.000000000 +0200 @@ -7,23 +7,34 @@ require "yast" require_relative 'SCRStub' -def services_for(names) - names.map {|n| Yast::DummySystemdUnit.new(n) } +def services_for(names, aliases = {}) + names.map do |n| + if aliases[n] + Yast::DummySystemdUnit.new(n, aliases[n]) + else + Yast::DummySystemdUnit.new(n) + end + end end module Yast # SystemdUnit is 'too smart' for our testing purposes class DummySystemdUnit - attr_accessor :name + attr_accessor :name, :properties - def initialize(name) + Struct.new("DummyProperties", :names) + + def initialize(name, aliases = nil) self.name = name + self.properties = Struct::DummyProperties.new(aliases) end def enabled?; true; end end import "Security" + import "SystemdService" + import "Service" RSpec.configure do |c| c.include SCRStub @@ -31,42 +42,49 @@ describe Security do describe "#ReadServiceSettings" do + let(:aliases) { {} } - before(:each) do - allow(SystemdService).to receive(:all).and_return services_for(service_names) + before(:each) do + allow(Service).to receive(:enabled?) do |service| + service_names.include?(service) + end + allow(SystemdService).to receive(:all).and_return services_for(service_names, aliases) Security.ReadServiceSettings end context "only with mandatory services" do - let(:service_names) { %w(ntp syslog auditd random kbd cron postfix sendmail) } + let(:service_names) { %w(apparmor auditd SuSEfirewall2 wicked) } - it "sets settings for all runlevels to 'secure'" do - expect(Security.Settings["RUNLEVEL3_MANDATORY_SERVICES"]).to eq("secure") - expect(Security.Settings["RUNLEVEL5_MANDATORY_SERVICES"]).to eq("secure") - expect(Security.Settings["RUNLEVEL3_EXTRA_SERVICES"]).to eq("secure") - expect(Security.Settings["RUNLEVEL5_EXTRA_SERVICES"]).to eq("secure") + it "sets settings for services as 'secure'" do + expect(Security.Settings["MANDATORY_SERVICES"]).to eq("secure") + expect(Security.Settings["EXTRA_SERVICES"]).to eq("secure") end end context "with mandatory and extra services" do - let(:service_names) { %w(ntp syslog auditd random kbd extra1 cron postfix sendmail) } + let(:service_names) { %w(apparmor auditd SuSEfirewall2 extra1 wicked) } it "sets settings for extra services as 'insecure'" do - expect(Security.Settings["RUNLEVEL3_MANDATORY_SERVICES"]).to eq("secure") - expect(Security.Settings["RUNLEVEL5_MANDATORY_SERVICES"]).to eq("secure") - expect(Security.Settings["RUNLEVEL3_EXTRA_SERVICES"]).to eq("insecure") - expect(Security.Settings["RUNLEVEL5_EXTRA_SERVICES"]).to eq("insecure") + expect(Security.Settings["MANDATORY_SERVICES"]).to eq("secure") + expect(Security.Settings["EXTRA_SERVICES"]).to eq("insecure") end end context "without all mandatory services and extra ones" do - let(:service_names) { %w(ntp syslog auditd extra1 cron postfix sendmail) } + let(:service_names) { %w(auditd shorewall extra1 wicked) } + + it "sets settings for services as 'insecure'" do + expect(Security.Settings["MANDATORY_SERVICES"]).to eq("insecure") + expect(Security.Settings["EXTRA_SERVICES"]).to eq("insecure") + end + end + + context "with services that are aliases of optional services" do + let(:service_names) { %w(apparmor auditd anacron firewalld wicked rsyslog) } + let(:aliases) { {"rsyslog" => "rsyslog.service syslog.service", "anacron" => "anacron cron"} } - it "sets settings for all runlevels to 'insecure'" do - expect(Security.Settings["RUNLEVEL3_MANDATORY_SERVICES"]).to eq("insecure") - expect(Security.Settings["RUNLEVEL5_MANDATORY_SERVICES"]).to eq("insecure") - expect(Security.Settings["RUNLEVEL3_EXTRA_SERVICES"]).to eq("insecure") - expect(Security.Settings["RUNLEVEL5_EXTRA_SERVICES"]).to eq("insecure") + it "sets settings for extra services as 'secure'" do + expect(Security.Settings["EXTRA_SERVICES"]).to eq("secure") end end @@ -74,10 +92,8 @@ let(:service_names) { [] } it "sets settings for mandatory to 'insecure'" do - expect(Security.Settings["RUNLEVEL3_MANDATORY_SERVICES"]).to eq("insecure") - expect(Security.Settings["RUNLEVEL5_MANDATORY_SERVICES"]).to eq("insecure") - expect(Security.Settings["RUNLEVEL3_EXTRA_SERVICES"]).to eq("secure") - expect(Security.Settings["RUNLEVEL5_EXTRA_SERVICES"]).to eq("secure") + expect(Security.Settings["MANDATORY_SERVICES"]).to eq("insecure") + expect(Security.Settings["EXTRA_SERVICES"]).to eq("secure") end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.8/testsuite/tests/Import.out new/yast2-security-3.1.9/testsuite/tests/Import.out --- old/yast2-security-3.1.8/testsuite/tests/Import.out 2015-01-13 18:06:10.000000000 +0100 +++ new/yast2-security-3.1.9/testsuite/tests/Import.out 2015-06-15 17:36:09.000000000 +0200 @@ -1,5 +1,5 @@ Return true -Dump $["AllowShutdown":"r3", "CONSOLE_SHUTDOWN":"reboot", "CRACKLIB_DICT_PATH":"/usr/lib/cracklib_dict", "DISABLE_RESTART_ON_UPDATE":"r13", "DISABLE_STOP_ON_REMOVAL":"r14", "DISPLAYMANAGER_REMOTE_ACCESS":"r4", "DISPLAYMANAGER_ROOT_LOGIN_REMOTE":"r16", "DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN":"r17", "FAIL_DELAY":"l2", "GID_MAX":"l3", "GID_MIN":"l4", "HIBERNATE_SYSTEM":"active_console", "PASSWD_ENCRYPTION":"sha512", "PASSWD_REMEMBER_HISTORY":"0", "PASSWD_USE_CRACKLIB":"yes", "PASS_MAX_DAYS":"l7", "PASS_MIN_DAYS":"l9", "PASS_MIN_LEN":"l10", "PASS_WARN_AGE":"l11", "PERMISSION_SECURITY":"r5", "RUNLEVEL3_EXTRA_SERVICES":"no", "RUNLEVEL3_MANDATORY_SERVICES":"yes", "RUNLEVEL5_EXTRA_SERVICES":"no", "RUNLEVEL5_MANDATORY_SERVICES":"yes", "RUN_UPDATEDB_AS":"r7", "SMTPD_LISTEN_REMOTE":"no", "SYSLOG_ON_NO_ERROR":"yes", "SYSTOHC":"yes", "SYS_GID_MAX":"l16", "SYS_GID_MIN":"l17", "SYS_UID_MAX":"l14", "SYS_UID_MIN":"l15", "UID_MAX":"l12", "UID_MIN":"l13", "USERADD_CMD":"l18", "USERDEL_POSTCMD":"l20", "USERDEL_PRECMD":"l19", "kernel.sysrq":"1", "net.ipv4.ip_forward":"0", "net.ipv4.tcp_syncookies":"1", "net.ipv6.conf.all.forwarding":"1"] +Dump $["AllowShutdown":"r3", "CONSOLE_SHUTDOWN":"reboot", "CRACKLIB_DICT_PATH":"/usr/lib/cracklib_dict", "DISABLE_RESTART_ON_UPDATE":"r13", "DISABLE_STOP_ON_REMOVAL":"r14", "DISPLAYMANAGER_REMOTE_ACCESS":"r4", "DISPLAYMANAGER_ROOT_LOGIN_REMOTE":"r16", "DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN":"r17", "EXTRA_SERVICES":"no", "FAIL_DELAY":"l2", "GID_MAX":"l3", "GID_MIN":"l4", "HIBERNATE_SYSTEM":"active_console", "MANDATORY_SERVICES":"yes", "PASSWD_ENCRYPTION":"sha512", "PASSWD_REMEMBER_HISTORY":"0", "PASSWD_USE_CRACKLIB":"yes", "PASS_MAX_DAYS":"l7", "PASS_MIN_DAYS":"l9", "PASS_MIN_LEN":"l10", "PASS_WARN_AGE":"l11", "PERMISSION_SECURITY":"r5", "RUN_UPDATEDB_AS":"r7", "SMTPD_LISTEN_REMOTE":"no", "SYSLOG_ON_NO_ERROR":"yes", "SYSTOHC":"yes", "SYS_GID_MAX":"l16", "SYS_GID_MIN":"l17", "SYS_UID_MAX":"l14", "SYS_UID_MIN":"l15", "UID_MAX":"l12", "UID_MIN":"l13", "USERADD_CMD":"l18", "USERDEL_POSTCMD":"l20", "USERDEL_PRECMD":"l19", "kernel.sysrq":"1", "net.ipv4.ip_forward":"0", "net.ipv4.tcp_syncookies":"1", "net.ipv6.conf.all.forwarding":"1"] Dump l15 Dump l14 Dump l17
