Objective 7 Configure Security Settings With YaST

YaST offers a module to configure certain system settings that affect the local security. You can access the module from the YaST Control Center by selecting Security and Users > Security settings.

With the module you can easily change the following settings of the system configuration:

■ The password settings

■ The boot behavior of the system

■ The login behavior

■ The user ID limitations

■ General file system security

When you start the module, the following appears:

Figure 4-4

The focal security settings include the boot configuration, login settings, password settings, some user creation settings, and file permissions.

All particular settings are described in the respective dialogs.

You can choose one of the preset configurations or you can make your own settings.

Use Home Workstation for a home computer not connected to any type of a network.

Use Networked Workstation for a computer connected to any type of a network or the Internet.

Use Network Server for a computer that will be providing any type of service, network or

Local Security Configuration i-Current Security Settings-

Q Level 1 (Home Workstation)

Level 2 (Networked Workstation) (_) Level 3 (Network Server)

0 Custom Settings

I Abort I

In the dialog you can choose from 4 levels of local security:

Table 4-13 Level

Level 1 (Home Workstation)

(Netw

Description

This option represents the lowest level of local security. It should only be used on a home workstation that is not connected to any kind of network.

Level 2 (Networked Workstation)

This option provides an intermediate level of local security. It is suitable for workstations that are connected to a network.

(continued) Table 4-13 Level Description

Level 3 (Network Server) This option enables a high level of local security. Systems that are used as a network server should be run with this setting.

Custom Settings This option lets you create your own level of local security.

By selecting one of the three predefined security levels and selecting Next, the chosen security level is applied. By selecting Details, you can change the settings for the security level you have selected.

If you choose the Customs Settings and then select Next, you can directly change the details of the security configuration.

The dialogs for the detail settings look the same for every security level, but the preselected options are different. In the following dialogs, you see the settings for Level 3 (Network Server).

In the first dialog you can change the default password requirements that are accepted by the systems:

Figure 4-5

In this dialog, change various password settings. These settings are mainly stored in the "/etc/login.defs" file.

Checking New Passwords

It is wise to choose a password that cannot be found in a dictionary and is not a name or other simple, common word. By checking the box, enforce password checking in regard to these rules.

Plausibility Test for Passwords

Passwords should be constructed using a mixture of characters. This makes the guessing of passwords very difficult. Check this box to enable additional checks.

Password Encryption Method:

Password Settings

Si Checking New Passwords r Plausibility Test for Password

Password Encryption Method

Number of Significant Characters in the Password

Minimum Acceptable Password Length

.-Days to Password Change WarningMinimum Maximum s fi 99999

Days before Password Expires Warning

Abort I

I Kr:xf

You have the following options:

Table 4-14 Option

Description

Checks

This option enables the checking of newly created passwords. The following two methods can be enabled:

■ Checking New Passwords.

New passwords will be checked to see if they can be found in a dictionary.

■ Plausibility Test For Passwords. Passwords will be checked to see if they contain a mixture of different kind of characters (such as lowercase and uppercase characters).

For a server system, you should at least enable Checking New Passwords.

Password Encryption Method

You can choose between different kinds of password encryption methods. This option sets the maximum length of the password.

The default option DES supports only passwords with a length up to 8 characters.

MD5and blowfish support longer passwords but are not well supported by older systems and applications.

Unless your system does not need to meet very high security demands, you can stay with the default DES.

(continued) Table 4-14 Option

Description

Number Of Significant Characters This option corresponds to the In The Password previous one. You can only choose a value higher than 8 if you have chosen a different encryption method than DES.

For normal security demands, a value of 8 is sufficient.

Minimum Acceptable Password Length

This value determines the minimum length of a password. The shorter a password is, the easier it is to crack it.

A password should never be shorter than 6 characters.

Days To Password Change Warnings

The name of this option is a little bit misleading. There are two values to be set:

■ Minimum. The number of days after a user can change the password.

■ Maximum. The number of days after a user must change the password.

This option determines how many days before a password has to be changed, a warning should be given to the user.

After adapting the options to your needs, select Next to proceed to the next dialog.

Days Before Password Expires Warning

The following dialog appears:

Figure 4-6

In this dialog, change various boot settings.

Interpretation of Ctrl + Alt +

^ Boot Settings

Del

When someone at the console

has pressed the CTRL + ALT +

DEL key combination, the system

usually reboots. Sometimes it is

desirable to ignore this event, for example, when the system

Interpretation of Ctrl + Alt + Del:

serves as both workstation and

Ignore *

server.

Shutdown Behavior of KDM

Shutdown Behavior of KDM:

Set who is allowed to shut down the machine from KDM.

| Only root j » |

| Back |

Abort |

\ Next f

In this dialog you can configure how the system can be rebooted.

You have the following options:

Table 4-15 Option

Description

Interpretation Of Crtl+Alt+Del

This option determines how the Key Combination Crtl+Alt+Del is evaluated. You can choose between the following possibilities:

■ Ignore. The key combination is ignored; nothing happens.

■ Reboot. When the combination is pressed, the system reboots.

■ Halt. The can be halted by pressing the key combination.

On a server you should always choose Ignore because otherwise someone could halt or reboot the system even without being logged in.

(continued) Table 4-15 Option

Description

Shutdown Behavior Of KDM

This option determines how the system can be halted with the graphical login manager KDM.

You have the following choices:

■ Only Root. To halt the system, the root password has to be entered.

■ All users. Everyone, even remotely connected users, can halt the system using KDM.

■ Nobody. Nobody can halt the system with KDM.

■ Local Users. Only locally connected users can halt the system with KDM.

■ Automatic. The system is halted automatically after log

For a server system you should use Only Root or Nobody to prevent normal or even remote out.

For a server system you should use Only Root or Nobody to prevent normal or even remote

After selecting Next, the following appears:

Figure 4-7

In this dialog, change various login settings. These settings are mainly stored in the Vetc/login.defs' file.

Delay after Incorrect Login Attempt tt is advisable to wait some time after an incorrect login attempt to prevent password guessing, Make the time small enough so users do not need to wait to retry if a password is mistyped. A sensible value is three seconds ('3').

Record Failed Login Attempts

It is useful to know if somebody is trying to log in and failed. For example, if someone is trying to guess the passwords of other users. Check this option to specify whether failed login attempts

Login Settings i- Login -

Delay after Incorrect Login Attempt:

X Record Failed Login Attempts K Record Successful Login Attempts in Allow Remote Graphical Login

Abort |

In this dialog you can configure the login behavior of the system.

You have the following options:

Table 4-16 Option

Description

Delay After Incorrect Login Attempts

The value of this option determines the number of seconds the next login try will be delayed after a failed login attempt.

This is useful to prevent attackers from trying various passwords very quickly.

The default value 3 is sufficient in most cases.

Record Failed Login Attempts

If this option is checked, failed login attempts are logged.

This option should be enabled

Record Successful Login Attempts

If this option is checked successful login attempts are logged.

This option should also be enabled.

The display manager KDM lets you log in remotely to the X-Window system.

If this option is selected, remote login is allowed.

For a server system, you should not enable this option unless it is needed for purpose of the server (for example, the system is a terminal server.)

Allow Remote Graphical Login.

After adjusting the settings in this dialog, select Next to proceed to the next dialog.

The next dialog provides the following options:

Figure 4-8

Figure 4-8

Iri this dialog, change various useradd settings.

User ID Limitations

Set the minimum and maximum possible user ID.

Adding User

Iri this dialog, change various useradd settings.

User ID Limitations

Set the minimum and maximum possible user ID.

Group ID Limitations

Set the minimum and maximum possible group ID.

Adding User

[-User ID Limitations-

Minimum Maximum

-Group ID Limitations-

Minimum Maximum

In this dialog you can adjust the Minimum and the Maximum value for User and Group IDs. The default values should be acceptable for most purposes.

Select Next to continue to the las page of the security configuration.

The following appears:

Figure 4-9

In this dialog, change miscellaneous settings.

Setting of File Permissions

Settings for the permissions of certain system files are set according to the data in /etc/permissions.secure or /etc/permissions .easy. Which file is used depends on this selection. Launching SuSEconfig sets these permissions according to /etc/permissions.*. This fixes files with incorrect permissions, whether this occurred accidentally or by intruders.

"Easy": Most of the system files that are only readable by root (via secure) are modified so other users can also read these files.

Miscellaneous Settings

Setting of File Permissions: Secure ♦

User Launching updatedb:

nobody

|r| Current Directory in root's Path in Current Directory in Path of Regular Users

ITI Enable Magic SysRq Keys

You have the following options:

Table 4-17 Option Description

Setting Of File Permissions From this menu, you can choose between three different presets for file system permissions.

You have the following options:

■ Easy. Most configuration files are readable for normal users.

■ Secure. Certain system files (like /var/log/messages) can only be viewed by root. Some programs can only launched by root or by daemons.

■ Paranoid. This is the preset with the highest level of file system security. Access rights are even more restricted than with the Secure setting.

The security settings for every preset are read from configuration files following the naming scheme /etc/permissions.<level>.

For example, the configuration for the Secure level is read from the file

/etc/permissions.secure

Each file contains a description of the file syntax and purpose of the preset.

You can also add your own rules to the file /etc/permissions.local.

(continued) Table 4-17 Option Description

User Launching Updatedb This option determines under which user ID the command updatedb is executed by cron.

The updatedb program indexes all files in the file system. The generated database can be queried with the locate command.

The choices of this option are:

■ nobody. The command is launched under the user ID of the system user nobody.

This way only files that are accessible for the user nobody are indexed.

■ root. The command is executed under the user ID of the root user.

This way all files in the file system can be indexed.

For security reasons you should use the user nobody. This way no files are indexed that should not be accessible for normal users.

(continued) Table 4-17 Option Description

Current Directory In Root Path If this option is selected, the current directory is added to the search path of root.

This could lead to security problems if an attacker places an executable with a common name like ls into a directory.

If root enters ls in that directory, the executable of the attacker could be launched instead of the normal ls command.

Never select this option.

Current Directory In Path Of Regular Users

If this option is selected, the current directory is added to the search path of normal users.

In a security sensitive environment, this option should not be enabled. *

Enable Magic SysRq Keys

This option enables special key combinations that give you some control over the system even in the case of a system crash.

This is useful for debugging purposes but should be disabled on production systems.

After confirming this dialog with Finish, the changes are saved and applied to the system.

In most cases it should be sufficient to choose one of the preconfigured security levels.

Was this article helpful?

0 0

Post a comment