Security check №.2 (Yast)

So I check security of a non-complex system via Yast.
Secure file permissions make you enter root password more times.
I don’t know what is Ok for DHCP daemon? It is probably not installed.

Yast also warns about additional services. It seems that Susefirewall init should be on. Bumblebeed is probably not a problem, and Yast is just being too strict? Actually It showed another sevice getty(insert number here). I followed it’s instructions and turned off getty(something). Search didn’t help in finding out, what is default getty service.
Thanks in advance.

p.s. forums don’t let me upload img files!

We have a place to put them: Right-upper choose Image.

BTW. You are mentioning a lot of things in your post, but it is not clea rto me what the different items are (one long text without much formatting) and if they are problems for where you want help for or not.

But you failed to say how. So it isn’t clear what is being checked.

I don’t know what is Ok for DHCP daemon? It is probably not installed.

On my 42.3 system, dhcp (or “/usr/lib/wicked/bin/wickedd-dhcp4”) is running as root. I’m not concerned about this on a private LAN.

It seems that Susefirewall init should be on.

As far as I know, SuSEfirewall2_init runs once early during boot. It is to protect the system during system initialization. Later, SuSEfirewall2 runs to setup the firewall configuration for normal runtime.

Right, I forgot about You can see Yast pictures though (imgur).
Here’s the output regarding dhcp:

zypper se dhcp
Loading repository data...
Reading installed packages...

S | Name                              | Summary                     | Type      
i | dhcp                              | Common Files Used by ISC -> | package   
  | dhcp                              | Common Files Used by ISC -> | srcpackage
i | dhcp-client                       | ISC DHCP Client             | package   
  | dhcp-devel                        | Header Files and Librarie-> | package   
  | dhcp-doc                          | Documentation               | package   
  | dhcp-relay                        | ISC DHCP Relay Agent        | package   
  | dhcp-server                       | ISC DHCP Server             | package   
  | dhcp-tools                        | DHCP Tools                  | package   
  | dhcp_dns_server                   | DHCP and DNS Server         | pattern   
  | dhcpdetector                      | Discovers DHCP servers on-> | package   
  | dhcpdetector                      | Discovers DHCP servers on-> | srcpackage
  | monitoring-plugins-dhcp           | Check DHCP servers          | package   
  | patterns-openSUSE-dhcp_dns_server | DHCP and DNS Server         | package   
  | udhcp                             | Micro DHCP client / server  | package   
  | yast2-dhcp-server                 | YaST2 - DHCP Server Confi-> | package   

2 packages installed.

Why does this next thing happen then?

service --status-all
smartd.service                                                                                  loaded active running Self Monitoring and Reporting Technology (SMART) Daemon
SuSEfirewall2.service                                                                           loaded active exited  SuSEfirewall2 phase 2
SuSEfirewall2_init.service                                                                      loaded active exited  SuSEfirewall2 phase 1

smartd is running, as other services, while Susefirewall2 has “exited”. If SuSEfirewall2_init exits, why SuSEfirewall2 does this too? Maybe it leaves some “fingerprint” for your system safety and then exits. I’m a newbie to tell why they are “exited”.

Yast GUI shows those images and also that Firewall is running. So, there are red crosses in “Security center and Hardening”.

Run the DHCP daemon in a chroot
Run the DHCP daemon as dhcp user
The current value could not be read. The service is probably not installed or the option is missing on the system.
Upon startup, the system time is being set from the hardware clock of the computer. As a consequence, setting the hardware clock before shutting down is necessary.Consistent system time is essential for the system to create correct log messages.
The current value could not be read. The service is probably not installed or the option is missing on the system.

To sum up:
Are these particular red crosses on pictures worth fixing? zypper dhcp output is here too. Eh, I did it for fans of paste!
Why Susefirewall2 has exited?
Is the hardware clock neccesary?

Thanks in advance

About the firewall case, re-read what nrickert explained.

One is setting the firewall IP rules at the very beginning to some default safe situation, the other later sets what is configured. Maybe you think that the firewall only functions when some daemon is running. This is not the case. The IP rules are in the kernel. Once set they apply until changed or until the kernel stops running at shutdown.

They are reporting statuses, like the green Vs. They are not things that should be fixed. Like always, you should decide what the result is of the weighing off of security against usability.

Not a daemon, but a kernel. Thanks

(Red indicators as those are not that important then)

They are, but the system manager (you) must decide which hardening to do on the sytem. And that depends on many things. Like is it a home system behind a router with firewall functionality or is it directly serving on the internet. What sort of users do you have (only you and your wife or hacking happy students), etc., etc.