Class: Installation::SecuritySettings

Inherits:

Object

• Object
• Installation::SecuritySettings

Includes:

Yast::I18n, Yast::Logger

Defined in:

src/lib/installation/security_settings.rb

Overview

Class that stores the security proposal settings during installation.

Instance Attribute Summary

• #default_zone ⇒ Object

  [String] Name of the default zone where perform the changes.

• #enable_firewall ⇒ Object

  [Boolean] Whether the firewalld service will be enable.

• #enable_sshd ⇒ Object

  [Boolean] Whether the sshd service will be enable.

• #open_ssh ⇒ Object

  [Boolean] Whether the ssh port will be opened.

• #open_vnc ⇒ Object

  [Boolean] Whether the vnc port will be opened.

• #polkit_default_privileges ⇒ Object

  [String, nil] Setting for policy kit default privileges For more info see /etc/sysconfig/security#POLKIT_DEFAULT_PRIVS.

Class Method Summary

• .create_instance ⇒ Object

  Enforce a new clean instance.

• .instance ⇒ Object

  Singleton instance.

• .run ⇒ Object

Instance Method Summary

• #access_problem? ⇒ Boolean

  Return whether the current settings could be a problem for the user to login.

• #close_ssh! ⇒ Object

  Set the ssh port to be closed.

• #close_vnc! ⇒ Object

  Set the vnc port to be closed.

• #disable_firewall! ⇒ Object

  Remove the firewalld package from being installed and sets the firewalld service to be disabled.

• #disable_sshd! ⇒ Object

  Remove the openssh package from being installed and sets the sshd service to be disabled.

• #enable_firewall! ⇒ Object

  Add the firewall package to be installed and sets the firewalld service to be enabled.

• #enable_sshd! ⇒ Object

  Add the openssh package to be installed and sets the sshd service to be enabled.

• #human_polkit_privileges ⇒ Object
• #initialize ⇒ SecuritySettings constructor

  Constructor.

• #load_features ⇒ Object

  Load the default values defined in the control file.

• #lsm_config ⇒ Y2Security::LSM::Config

  The LSM config handler.

• #open_ssh! ⇒ Object

  Set the ssh port to be opened.

• #open_vnc! ⇒ Object

  Set the vnc port to be opened.

• #propose_lsm_config ⇒ Object

  When Linux Security Module is declared as configurable and there is no Module selected yet it will select the desired LSM and the needed patterns for it accordingly.

Constructor Details

#initialize ⇒ SecuritySettings

Constructor

# File 'src/lib/installation/security_settings.rb', line 45

def initialize
  textdomain "installation"
  Yast.import "PackagesProposal"
  Yast.import "ProductFeatures"
  Yast.import "Linuxrc"

  load_features
  enable_firewall! if @enable_firewall
  enable_sshd! if wanted_enable_sshd?
  open_ssh! if wanted_open_ssh?
  open_vnc! if wanted_open_vnc?
  propose_lsm_config
  # FIXME: obtain from Y2Firewall::Firewalld, control file or allow to
  # chose a different one in the proposal
  @default_zone = "public"
end

Instance Attribute Details

#default_zone ⇒ Object

[String] Name of the default zone where perform the changes

# File 'src/lib/installation/security_settings.rb', line 39

def default_zone
  @default_zone
end

#enable_firewall ⇒ Object

[Boolean] Whether the firewalld service will be enable

# File 'src/lib/installation/security_settings.rb', line 31

def enable_firewall
  @enable_firewall
end

#enable_sshd ⇒ Object

[Boolean] Whether the sshd service will be enable

# File 'src/lib/installation/security_settings.rb', line 33

def enable_sshd
  @enable_sshd
end

#open_ssh ⇒ Object

[Boolean] Whether the ssh port will be opened

# File 'src/lib/installation/security_settings.rb', line 35

def open_ssh
  @open_ssh
end

#open_vnc ⇒ Object

[Boolean] Whether the vnc port will be opened

# File 'src/lib/installation/security_settings.rb', line 37

def open_vnc
  @open_vnc
end

#polkit_default_privileges ⇒ Object

[String, nil] Setting for policy kit default privileges For more info see /etc/sysconfig/security#POLKIT_DEFAULT_PRIVS

# File 'src/lib/installation/security_settings.rb', line 42

def polkit_default_privileges
  @polkit_default_privileges
end

Class Method Details

.create_instance ⇒ Object

Enforce a new clean instance

# File 'src/lib/installation/security_settings.rb', line 231

def create_instance
  @instance = new
end

.instance ⇒ Object

Singleton instance

# File 'src/lib/installation/security_settings.rb', line 225

def instance
  create_instance unless @instance
  @instance
end

.run ⇒ Object

# File 'src/lib/installation/security_settings.rb', line 220

def run
  instance.run
end

Instance Method Details

#access_problem? ⇒ Boolean

Return whether the current settings could be a problem for the user to login

Returns:

• (Boolean) —

  true if the root user uses only public key authentication and the system is not accesible through ssh

# File 'src/lib/installation/security_settings.rb', line 145

def access_problem?
  # public key is not the only way
  return false unless only_public_key_auth

  # without running sshd it is useless
  return true unless @enable_sshd

  # firewall is up and port for ssh is not open
  @enable_firewall && !@open_ssh
end

#close_ssh! ⇒ Object

Set the ssh port to be closed

# File 'src/lib/installation/security_settings.rb', line 123

def close_ssh!
  log.info "Opening SSH port"
  self.open_ssh = false
end

#close_vnc! ⇒ Object

Set the vnc port to be closed

# File 'src/lib/installation/security_settings.rb', line 135

def close_vnc!
  log.info "Close VNC port"
  self.open_vnc = false
end

#disable_firewall! ⇒ Object

Remove the firewalld package from being installed and sets the firewalld service to be disabled

# File 'src/lib/installation/security_settings.rb', line 94

def disable_firewall!
  Yast::PackagesProposal.RemoveResolvables("firewall", :package, ["firewalld"])
  log.info "Disabling Firewall"
  self.enable_firewall = false
end

#disable_sshd! ⇒ Object

Remove the openssh package from being installed and sets the sshd service to be disabled

# File 'src/lib/installation/security_settings.rb', line 110

def disable_sshd!
  Yast::PackagesProposal.RemoveResolvables("firewall", :package, ["openssh"])
  log.info "Disabling SSHD"
  self.enable_sshd = false
end

#enable_firewall! ⇒ Object

Add the firewall package to be installed and sets the firewalld service to be enabled

# File 'src/lib/installation/security_settings.rb', line 85

def enable_firewall!
  Yast::PackagesProposal.AddResolvables("firewall", :package, ["firewalld"])

  log.info "Enabling Firewall"
  self.enable_firewall = true
end

#enable_sshd! ⇒ Object

Add the openssh package to be installed and sets the sshd service to be enabled

# File 'src/lib/installation/security_settings.rb', line 102

def enable_sshd!
  Yast::PackagesProposal.AddResolvables("firewall", :package, ["openssh"])
  log.info "Enabling SSHD"
  self.enable_sshd = true
end

#human_polkit_privileges ⇒ Object

# File 'src/lib/installation/security_settings.rb', line 156

def human_polkit_privileges
  {
    ""            => _("Default"),
    # TRANSLATORS: restrictive in sense the most restrictive policy
    "restrictive" => _("Restrictive"),
    "standard"    => _("Standard"),
    # TRANSLATORS: easy in sense the least restrictive policy
    "easy"        => _("Easy")
  }
end

#load_features ⇒ Object

Load the default values defined in the control file

# File 'src/lib/installation/security_settings.rb', line 63

def load_features
  load_feature(:enable_firewall, :enable_firewall)
  load_feature(:firewall_enable_ssh, :open_ssh)
  load_feature(:enable_sshd, :enable_sshd)
  load_feature(:polkit_default_privs, :polkit_default_privileges)
end

#lsm_config ⇒ Y2Security::LSM::Config

Returns the LSM config handler.

Returns:

• (Y2Security::LSM::Config) —

  the LSM config handler

# File 'src/lib/installation/security_settings.rb', line 168

def lsm_config
  Y2Security::LSM::Config.instance
end

#open_ssh! ⇒ Object

Set the ssh port to be opened

# File 'src/lib/installation/security_settings.rb', line 117

def open_ssh!
  log.info "Opening SSH port"
  self.open_ssh = true
end

#open_vnc! ⇒ Object

Set the vnc port to be opened

# File 'src/lib/installation/security_settings.rb', line 129

def open_vnc!
  log.info "Close VNC port"
  self.open_vnc = true
end

#propose_lsm_config ⇒ Object

When Linux Security Module is declared as configurable and there is no Module selected yet it will select the desired LSM and the needed patterns for it accordingly

# File 'src/lib/installation/security_settings.rb', line 72

def propose_lsm_config
  return unless lsm_config.configurable?
  return if lsm_config.selected

  lsm_config.propose_default
  # It will be set even if the proposal is not shown (e.g. configurable but not selectable)
  Yast::PackagesProposal.SetResolvables("LSM", :pattern, lsm_config.needed_patterns)
end