Results 1 to 8 of 8

Thread: Security check №.2 (Yast)

  1. #1

    Default Security check №.2 (Yast)

    Hi,
    So I check security of a non-complex system via Yast.
    https://imgur.com/a/eUb5B
    https://imgur.com/a/wX1sL
    Secure file permissions make you enter root password more times.
    I don't know what is Ok for DHCP daemon? It is probably not installed.

    Yast also warns about additional services. It seems that Susefirewall init should be on. Bumblebeed is probably not a problem, and Yast is just being too strict? Actually It showed another sevice getty(insert number here). I followed it's instructions and turned off getty(something). Search didn't help in finding out, what is default getty service.
    Thanks in advance.

    p.s. forums don't let me upload img files!

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,274

    Default Re: Security check №.2 (Yast)

    Quote Originally Posted by rockin View Post

    p.s. forums don't let me upload img files!
    We have a place to put them: http://paste.opensuse.org. Right-upper choose Image.

    BTW. You are mentioning a lot of things in your post, but it is not clea rto me what the different items are (one long text without much formatting) and if they are problems for where you want help for or not.
    Henk van Velden

  3. #3
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,784
    Blog Entries
    3

    Default Re: Security check №.2 (Yast)

    Quote Originally Posted by rockin View Post
    Hi,
    So I check security of a non-complex system via Yast.
    But you failed to say how. So it isn't clear what is being checked.

    I don't know what is Ok for DHCP daemon? It is probably not installed.
    On my 42.3 system, dhcp (or "/usr/lib/wicked/bin/wickedd-dhcp4") is running as root. I'm not concerned about this on a private LAN.

    It seems that Susefirewall init should be on.
    As far as I know, SuSEfirewall2_init runs once early during boot. It is to protect the system during system initialization. Later, SuSEfirewall2 runs to setup the firewall configuration for normal runtime.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  4. #4

    Default Re: Security check №.2 (Yast)

    Right, I forgot about paste.opensuse.org. You can see Yast pictures though (imgur).
    Here's the output regarding dhcp:
    Code:
    zypper se dhcp
    Loading repository data...
    Reading installed packages...
    
    S | Name                              | Summary                     | Type      
    --+-----------------------------------+-----------------------------+-----------
    i | dhcp                              | Common Files Used by ISC -> | package   
      | dhcp                              | Common Files Used by ISC -> | srcpackage
    i | dhcp-client                       | ISC DHCP Client             | package   
      | dhcp-devel                        | Header Files and Librarie-> | package   
      | dhcp-doc                          | Documentation               | package   
      | dhcp-relay                        | ISC DHCP Relay Agent        | package   
      | dhcp-server                       | ISC DHCP Server             | package   
      | dhcp-tools                        | DHCP Tools                  | package   
      | dhcp_dns_server                   | DHCP and DNS Server         | pattern   
      | dhcpdetector                      | Discovers DHCP servers on-> | package   
      | dhcpdetector                      | Discovers DHCP servers on-> | srcpackage
      | monitoring-plugins-dhcp           | Check DHCP servers          | package   
      | patterns-openSUSE-dhcp_dns_server | DHCP and DNS Server         | package   
      | udhcp                             | Micro DHCP client / server  | package   
      | yast2-dhcp-server                 | YaST2 - DHCP Server Confi-> | package
    2 packages installed.

    Why does this next thing happen then?
    Code:
    service --status-all
    smartd.service                                                                                  loaded active running Self Monitoring and Reporting Technology (SMART) Daemon
    SuSEfirewall2.service                                                                           loaded active exited  SuSEfirewall2 phase 2
    SuSEfirewall2_init.service                                                                      loaded active exited  SuSEfirewall2 phase 1
    smartd is running, as other services, while Susefirewall2 has "exited". If SuSEfirewall2_init exits, why SuSEfirewall2 does this too? Maybe it leaves some "fingerprint" for your system safety and then exits. I'm a newbie to tell why they are "exited".

    Yast GUI shows those images and also that Firewall is running. So, there are red crosses in "Security center and Hardening".
    Code:
    Run the DHCP daemon in a chroot
    Run the DHCP daemon as dhcp user
    The current value could not be read. The service is probably not installed or the option is missing on the system.
    Code:
    Upon startup, the system time is being set from the hardware clock of the computer. As a consequence, setting the hardware clock before shutting down is necessary.Consistent system time is essential for the system to create correct log messages.
    The current value could not be read. The service is probably not installed or the option is missing on the system.

    To sum up:
    Are these particular red crosses on pictures worth fixing? zypper dhcp output is here too. Eh, I did it for fans of paste! https://paste.opensuse.org/72022863 https://paste.opensuse.org/96972049
    Why Susefirewall2 has exited?
    Is the hardware clock neccesary?

    Thanks in advance

  5. #5
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,274

    Default Re: Security check №.2 (Yast)

    About the firewall case, re-read what nrickert explained.

    One is setting the firewall IP rules at the very beginning to some default safe situation, the other later sets what is configured. Maybe you think that the firewall only functions when some daemon is running. This is not the case. The IP rules are in the kernel. Once set they apply until changed or until the kernel stops running at shutdown.
    Henk van Velden

  6. #6
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,274

    Default Re: Security check №.2 (Yast)

    Quote Originally Posted by rockin View Post
    Are these particular red crosses on pictures worth fixing? ze
    They are reporting statuses, like the green Vs. They are not things that should be fixed. Like always, you should decide what the result is of the weighing off of security against usability.
    Henk van Velden

  7. #7

    Default Re: Security check №.2 (Yast)

    Quote Originally Posted by hcvv View Post
    The IP rules are in the kernel. Once set they apply until changed or until the kernel stops running at shutdown.
    Not a daemon, but a kernel. Thanks

    (Red indicators as those are not that important then)

  8. #8
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,274

    Default Re: Security check №.2 (Yast)

    Quote Originally Posted by rockin View Post
    Red indicators as those are not that important then
    They are, but the system manager (you) must decide which hardening to do on the sytem. And that depends on many things. Like is it a home system behind a router with firewall functionality or is it directly serving on the internet. What sort of users do you have (only you and your wife or hacking happy students), etc., etc.
    Henk van Velden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •