Class: Installation::SecuritySettings

Inherits:
Object
  • Object
show all
Includes:
Yast::I18n, Yast::Logger
Defined in:
src/lib/installation/security_settings.rb

Overview

Class that stores the security proposal settings during installation.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeSecuritySettings

Constructor


45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# File 'src/lib/installation/security_settings.rb', line 45

def initialize
  textdomain "installation"
  Yast.import "PackagesProposal"
  Yast.import "ProductFeatures"
  Yast.import "Linuxrc"

  load_features
  enable_firewall! if @enable_firewall
  enable_sshd! if wanted_enable_sshd?
  open_ssh! if wanted_open_ssh?
  open_vnc! if wanted_open_vnc?
  propose_lsm_config
  # FIXME: obtain from Y2Firewall::Firewalld, control file or allow to
  # chose a different one in the proposal
  @default_zone = "public"
end

Instance Attribute Details

#default_zoneObject

[String] Name of the default zone where perform the changes


39
40
41
# File 'src/lib/installation/security_settings.rb', line 39

def default_zone
  @default_zone
end

#enable_firewallObject

[Boolean] Whether the firewalld service will be enable


31
32
33
# File 'src/lib/installation/security_settings.rb', line 31

def enable_firewall
  @enable_firewall
end

#enable_sshdObject

[Boolean] Whether the sshd service will be enable


33
34
35
# File 'src/lib/installation/security_settings.rb', line 33

def enable_sshd
  @enable_sshd
end

#open_sshObject

[Boolean] Whether the ssh port will be opened


35
36
37
# File 'src/lib/installation/security_settings.rb', line 35

def open_ssh
  @open_ssh
end

#open_vncObject

[Boolean] Whether the vnc port will be opened


37
38
39
# File 'src/lib/installation/security_settings.rb', line 37

def open_vnc
  @open_vnc
end

#polkit_default_privilegesObject

[String, nil] Setting for policy kit default privileges For more info see /etc/sysconfig/security#POLKIT_DEFAULT_PRIVS


42
43
44
# File 'src/lib/installation/security_settings.rb', line 42

def polkit_default_privileges
  @polkit_default_privileges
end

Class Method Details

.create_instanceObject

Enforce a new clean instance


231
232
233
# File 'src/lib/installation/security_settings.rb', line 231

def create_instance
  @instance = new
end

.instanceObject

Singleton instance


225
226
227
228
# File 'src/lib/installation/security_settings.rb', line 225

def instance
  create_instance unless @instance
  @instance
end

.runObject


220
221
222
# File 'src/lib/installation/security_settings.rb', line 220

def run
  instance.run
end

Instance Method Details

#access_problem?Boolean

Return whether the current settings could be a problem for the user to login

Returns:

  • (Boolean)

    true if the root user uses only public key authentication and the system is not accesible through ssh


145
146
147
148
149
150
151
152
153
154
# File 'src/lib/installation/security_settings.rb', line 145

def access_problem?
  # public key is not the only way
  return false unless only_public_key_auth

  # without running sshd it is useless
  return true unless @enable_sshd

  # firewall is up and port for ssh is not open
  @enable_firewall && !@open_ssh
end

#close_ssh!Object

Set the ssh port to be closed


123
124
125
126
# File 'src/lib/installation/security_settings.rb', line 123

def close_ssh!
  log.info "Opening SSH port"
  self.open_ssh = false
end

#close_vnc!Object

Set the vnc port to be closed


135
136
137
138
# File 'src/lib/installation/security_settings.rb', line 135

def close_vnc!
  log.info "Close VNC port"
  self.open_vnc = false
end

#disable_firewall!Object

Remove the firewalld package from being installed and sets the firewalld service to be disabled


94
95
96
97
98
# File 'src/lib/installation/security_settings.rb', line 94

def disable_firewall!
  Yast::PackagesProposal.RemoveResolvables("firewall", :package, ["firewalld"])
  log.info "Disabling Firewall"
  self.enable_firewall = false
end

#disable_sshd!Object

Remove the openssh package from being installed and sets the sshd service to be disabled


110
111
112
113
114
# File 'src/lib/installation/security_settings.rb', line 110

def disable_sshd!
  Yast::PackagesProposal.RemoveResolvables("firewall", :package, ["openssh"])
  log.info "Disabling SSHD"
  self.enable_sshd = false
end

#enable_firewall!Object

Add the firewall package to be installed and sets the firewalld service to be enabled


85
86
87
88
89
90
# File 'src/lib/installation/security_settings.rb', line 85

def enable_firewall!
  Yast::PackagesProposal.AddResolvables("firewall", :package, ["firewalld"])

  log.info "Enabling Firewall"
  self.enable_firewall = true
end

#enable_sshd!Object

Add the openssh package to be installed and sets the sshd service to be enabled


102
103
104
105
106
# File 'src/lib/installation/security_settings.rb', line 102

def enable_sshd!
  Yast::PackagesProposal.AddResolvables("firewall", :package, ["openssh"])
  log.info "Enabling SSHD"
  self.enable_sshd = true
end

#human_polkit_privilegesObject


156
157
158
159
160
161
162
163
164
165
# File 'src/lib/installation/security_settings.rb', line 156

def human_polkit_privileges
  {
    ""            => _("Default"),
    # TRANSLATORS: restrictive in sense the most restrictive policy
    "restrictive" => _("Restrictive"),
    "standard"    => _("Standard"),
    # TRANSLATORS: easy in sense the least restrictive policy
    "easy"        => _("Easy")
  }
end

#load_featuresObject

Load the default values defined in the control file


63
64
65
66
67
68
# File 'src/lib/installation/security_settings.rb', line 63

def load_features
  load_feature(:enable_firewall, :enable_firewall)
  load_feature(:firewall_enable_ssh, :open_ssh)
  load_feature(:enable_sshd, :enable_sshd)
  load_feature(:polkit_default_privs, :polkit_default_privileges)
end

#lsm_configY2Security::LSM::Config

Returns the LSM config handler.

Returns:

  • (Y2Security::LSM::Config)

    the LSM config handler


168
169
170
# File 'src/lib/installation/security_settings.rb', line 168

def lsm_config
  Y2Security::LSM::Config.instance
end

#open_ssh!Object

Set the ssh port to be opened


117
118
119
120
# File 'src/lib/installation/security_settings.rb', line 117

def open_ssh!
  log.info "Opening SSH port"
  self.open_ssh = true
end

#open_vnc!Object

Set the vnc port to be opened


129
130
131
132
# File 'src/lib/installation/security_settings.rb', line 129

def open_vnc!
  log.info "Close VNC port"
  self.open_vnc = true
end

#propose_lsm_configObject

When Linux Security Module is declared as configurable and there is no Module selected yet it will select the desired LSM and the needed patterns for it accordingly


72
73
74
75
76
77
78
79
# File 'src/lib/installation/security_settings.rb', line 72

def propose_lsm_config
  return unless lsm_config.configurable?
  return if lsm_config.selected

  lsm_config.propose_default
  # It will be set even if the proposal is not shown (e.g. configurable but not selectable)
  Yast::PackagesProposal.SetResolvables("LSM", :pattern, lsm_config.needed_patterns)
end