4251698580

Build Type

push

github

Committed by Unknown Committer

Commit Message

Unknown Commit Message

Run Details

1 of 1 new or added line in 1 file covered. (100.0%)

1375 of 3475 relevant lines covered (39.57%)

5.82 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/include/security/helps.rb

# encoding: utf-8

# ------------------------------------------------------------------------------
# Copyright (c) 2006-2012 Novell, Inc. All Rights Reserved.
#
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of version 2 of the GNU General Public License as published by the
# Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this program; if not, contact Novell, Inc.
#
# To contact Novell about this file by physical or electronic mail, you may find
# current contact information at www.novell.com.
# ------------------------------------------------------------------------------

# File:        include/security/helps.ycp
# Module:        Security configuration
# Summary:        Helps definition
# Authors:        Michal Svec <msvec@suse.cz>
#
# $Id$
#
# This file contains all helps for the security module screens.
# They are in one huge map called HELPS.
module Yast
  module SecurityHelpsInclude
    def initialize_security_helps(include_target)
      textdomain "security"

      @display_manager = Security.display_manager

      # All helps are here
      @HELPS = {
        # Read dialog help 1/2
        "read"           => _(
          "<p><b><big>Initializing Security Configuration</big></b>\n<br>Please wait...<br></p>"
        ) +
          # Read dialog help 2/2
          _(
            "<p><b><big>Aborting the Initialization</big></b><br>\nSafely abort the configuration utility by pressing <b>Abort</b> now.</p>"
          ),
        # Write dialog help 1/2
        "write"          => _(
          "<p><b><big>Saving Security Configuration</big></b>\n<br>Please wait...<br></p>"
        ) +
          # Write dialog help 2/2
          _(
            "<p><b><big>Aborting Saving</big></b><br>\nAbort the save procedure by pressing <b>Abort</b>.</p>"
          ),
        # Boot dialog help 1/4
        "boot"           => boot_dialog_help,
        # Main dialog help 1/8
        "main"           => _(
          "<P><BIG><B>Configuring Local Security</B></BIG></P>\n" \
            "<p>Using predefined defaults, change the local security settings, which include\n" \
            "    booting, login, password, user creation, and file permissions. The default\n" \
            "    settings can be modified as needed.\n" \
            "</p>"
        ) +
          # Main dialog help 5/8
          _(
            "<p><b>Workstation</b>: For a computer connected\nto any type of network including the Internet.</p>"
          ) +
          # Main dialog help 6/8
          _(
            "<p><b>Roaming Device</b>: For a laptop, tablet or similar device\nthat connects to different networks.</p>"
          ) +
          # Main dialog help 7/8
          _(
            "<p><b>Network Server</b>: For a computer that provides\nany type of service.</p>"
          ) +
          # Main dialog help 8/8
          _("<p><b>Custom Settings</b>: Create your own configuration.</p>"),
        # Login dialog help 1/4
        "login"          => _(
          "<p><big><b>Login Security</b></big></p>\n" \
            "<p>These login settings\n" \
            "are mainly stored in the /etc/login.defs file.</p>"
        ) +
          # Login dialog help 2/4
          _(
            "<p><b>Delay after Incorrect Login Attempt:</b>\n" \
              "It is advisable to wait some time after an incorrect login attempt to prevent\n" \
              "password guessing. Make the time small enough that users do not need to wait to\n" \
              "retry if a password is mistyped. A sensible value is three seconds (<tt>3</tt>).</p>"
          ) +
          # Login dialog help 3/4
          _(
            "<p><b>Record Successful Login Attempts:</b> Logging successful login\n" \
              "attempts is useful. It can warn you of unauthorized access to the\n" \
              "system (for example, a user logging in from a different location than usual).\n" \
              "</p>\n"
          ) +
          # Login dialog help 4/4
          _(
            "<p><b>Allow Remote Graphical Login:</b> Checking this allows access\n" \
              "to a graphical login screen for this machine over the network. Remote access\n" \
              "to your machine using a display manager might be a security risk.</p>"
          ),
        # Password dialog help 1/8
        "password"       => _(
          "<p>These password settings\nare mainly stored in the /etc/login.defs file.</p>"
        ) +
          # Password dialog help 2/8
          _(
            "<p><b>Check New Passwords</b>: It is wise to choose a password that\n" \
              "cannot be found in a dictionary and is not a name or other simple, common word.\n" \
              "By checking the box, enforce password checking in regard to these rules.</p>"
          ) +
          # Password dialog help
          _(
            "<p><b>Minimum Acceptable Password Length:</b>\n" \
              "The minimum acceptable size for the new password reduced by the number\n" \
              "of different character classes (other, upper, lower and digit) used in the new\n" \
              "password. See man pam_cracklib for a more detailed explanation.\n" \
              "This option can only be modified when <b>Check New Passwords</b> is set.</p>"
          ) +
          # Password dialog help 4/8
          _(
            "<p><b>Passwords to Remember</b>:\n" \
              "Enter the number of user passwords to store and prevent the user from reusing.\n" \
              "Enter 0 if passwords should not be stored.</p>"
          ) +
          # Password dialog help 5a/8
          _("<p><b>Password Encryption Method:</b></p>") +
          # Password dialog help 5b/8
          _(
            "<p><b>DES</b>, the Linux default method, works in all network environments,\n" \
              "but it restricts you to passwords no longer than eight characters. If you need\n" \
              "compatibility with other systems, use this method.</p>"
          ) +
          # Password dialog help 5c/8
          _(
            "<p><b>MD5</b> allows longer passwords and is supported by all current Linux \ndistributions, but not by other systems or old software.</p>"
          ) +
          # Password dialog help 5d/8
          _(
            "<p><b>SHA-512</b> is the current standard hash method, using other algorithms is not recommended unless needed for compatibility purpose.</p>"
          ) +
          # Password dialog help 7/8
          _(
            "<p><b>Password Age:</b> Set the minimum and\nmaximum number of days a password may be used.</p>"
          ) +
          # Password dialog help 8/8
          _(
            "<p><b>Days before Password Expires Warning</b>: This entry sets the\n" \
              "number of days users are warned before their passwords expire. The longer the\n" \
              "time, the less likely it is that someone can guess passwords.</p>"
          ),
        # Adduser dialog help 1/2
        "adduser"        => _(
          "<p><big><b>User Security</b></big></P>\n<p>In this dialog, change various settings used to create users.</p>"
        ) +
          # Adduser dialog help 2/3
          _(
            "<p><b>User ID Limitations:</b>\nSet the minimum and maximum possible user ID.</p>"
          ) +
          # Adduser dialog help 3/3
          _(
            "<p><b>Group ID Limitations</b>:\nSet the minimum and maximum possible group ID.</p>"
          ),
        # Misc dialog help 1/14
        "misc"           => _(
          "<p><big><b>Other Security Settings</b></big></P>\n<p>In this dialog, change miscellaneous settings related to local security.</p>"
        ) +
          # Misc dialog help 2/14
          _(
            "<p><b>File Permissions</b>: Settings for the permissions\n" \
              "of certain system files are set according to the data in /etc/permissions.secure\n" \
              "or /etc/permissions.easy. Which file is used depends on this selection.\n" \
              "Launching SuSEconfig sets these permissions according to /etc/permissions.*.\n" \
              "This fixes files with incorrect permissions, whether this occurred accidentally\n" \
              "or by intruders.</p><p>\n" \
              "With <b>Easy</b>, most of the system files that are only readable by root\n" \
              "in Secure are modified so other users can also read these files.\n" \
              "Using <b>Secure</b>, certain system files, such as /var/log/messages, can only\n" \
              "be viewed by the user root. Some programs can only be launched by root or by\n" \
              "daemons, not by ordinary users.\n" \
              "The most secure setting is <b>Paranoid</B>. With it, you must\n" \
              "decide which users are able to run X applications and setuid programs.</p>\n"
          ) +
          # Misc dialog help 6/14
          _(
            "<p><b>User Launching updatedb</b>: The program updatedb runs \n" \
              "once a day. It scans your entire file system and creates a database (locatedb)\n" \
              "that stores the location of every file. The database can be searched by the\n" \
              "program \"locate\".  Here, set the user that runs this command: <b>nobody</b>\n" \
              "    (few files) or <b>root</b> (all files).</p>"
          ) +
          # Misc dialog help 10/14
          _(
            "<p><b>Current Directory in root's Path</b> On a DOS system,\n" \
              "the system first searches for executable files (programs) in the current\n" \
              "directory then in the current path variable. In contrast, a UNIX-like system\n" \
              "searches for them exclusively via the search path (variable PATH).</p>"
          ) +
          # Misc dialog help 11/14
          _(
            "<p><b>Current Directory in the Path of Regular Users</b><br> A DOS\n" \
              "system first searches for executable files (programs) in the current directory\n" \
              "then in the current path variable. In contrast, a UNIX-like system searches\n" \
              "for them exclusively via the search path (variable PATH).</p>"
          ) +
          # Misc dialog help 12/14
          _(
            "<p>Some systems set up a work-around by adding the dot (\".\") to the\n" \
              "search path, enabling files in the current path to be found and executed.\n" \
              "This is highly dangerous because you may accidentally launch unknown programs in\n" \
              "the current directory instead of the usual systemwide files. As a result,\n" \
              "executing <i>Trojan Horses</i>, which exploit this weakness and invade your system,\n" \
              "is rather easy if you set this option.</p>"
          ) +
          # Misc dialog help 13/14
          _(
            "<p>\"yes\": the dot (\".\") is attached to the end of the search\npath of root, making it the last to be searched.</p>"
          ) +
          # Misc dialog help 14/14
          _(
            "<p>\"no\": the user root always must launch programs in the\ncurrent directory prefixed with a \"./\". Example: \"./configure\".</p>"
          ) +
          # Misc dialog help 14/14
          _(
            "<p><b>Enable Magic SysRq Keys</b><br> If you check this option, you\n" \
              "will have some control over the system even if it crashes (for example, during kernel\n" \
              "debugging). For details, see /usr/src/linux/Documentation/sysrq.txt</p>"
          ),
        # help text: security overview dialog 1/
        "overview"       => _(
          "<P><B>Security Overview</B><BR>This overview shows the most important security settings.</P>"
        ) +
          # help text: security overview dialog 1/
          _(
            "<P>To change the current value, click the link associated to the option.</P>"
          ) +
          # help text: security overview dialog 1/
          _(
            "<P> A check mark in the <B>Security Status</B> column means that the current value of the option is secure.</P>"
          ),
        # an error message (rich text)
        "unknown_status" => _(
          "<P><B>The current value could not be read. The service is probably not installed or the option is missing on the system.</B></P>"
        )
      }

      @help_mapping = {
        "DISPLAYMANAGER_REMOTE_ACCESS"              => _(
          "<P>A display manager provides a graphical login screen and can be accessed\n" \
            "across the network by an X server running on another system if so\n" \
            "configured.</P><P>The windows that are being displayed would then transmit\n" \
            "their data across the network. If that network is not fully trusted, then the\n" \
            "network traffic can be eavesdropped by an attacker, gaining access not only to\n" \
            "the graphical content of the display, but also to usernames and passwords that\n" \
            "are being used.</P><P>If you do not need <EM>XDMCP</EM> for remote graphical\n" \
            "logins, then disable this option.</P>"
        ),
        "SYSLOG_ON_NO_ERROR"                        => _(
          "<P>Malfunctions in a system are usually detected by anomalies in its behaviour. Syslog messages about events that reoccur on a regular basis are important to find causes of problems. And the absence of a single record can tell more than the absence of all log records.</P><P>Therefore, syslog messages of system events are only useful if they are present.</P>"
        ),
        "DHCPD_RUN_CHROOTED"                        => _(
          "<P>Chroot execution environments restrict a process to only access files that it needs by placing them in a separate subdirectory and running the process with a changed root (chroot) set to that directory.</P>"
        ),
        "DHCPD_RUN_AS"                              => _(
          "<P>The DHCP client daemon should run as the user <EM>dhcpd</EM> to minimize a possible threat if the service is found vulnerable to a weakness in its program code.</P><P>Note that dhcpd must never run as <EM>root</EM> or with the <EM>CAP_SYS_CHROOT</EM> capability for the chroot execution confinement to be effective.</P>"
        ),
        "DISPLAYMANAGER_ROOT_LOGIN_REMOTE"          => _(
          "<P>Administrators should never log on as <EM>root</EM> into an X Window session to minimize the usage of the root privileges.</P><P>This option does not help against careless administrators, but shall prevent attackers to be able to log on as <EM>root</EM> via the display manager if they guess or otherwise acquire the password.</P>"
        ),
        "DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN" => _(
          "<P>X Window clients, e.g. programs that open a window on your display, connect\n" \
            "to the X server that runs on the physical machine. Programs can also run on a\n" \
            "different system and display their content on the X server through network\n" \
            "connections.</P><P>When enabled, the X server listens on a port 6000 plus the\n" \
            "display number. Since network traffic is transferred unencrypted and therefore\n" \
            "subject to network sniffing, and since the port held open by the X server\n" \
            "offers attack options, the secure setting is to disable it.</P><P>To display X\n" \
            "Window clients across a network, we recommend the use of secure shell (<EM>ssh</EM>), which allows the X Window clients to connect to the X server through the encrypted ssh connection.</P>"
        ),
        "SMTPD_LISTEN_REMOTE"                       => _(
          "<P>The email delivery subsystem is always started. However, it does not expose\nitself outside the system by default, since it does not listen on the SMTP network port 25.</P><P>If you do not deliver emails to your system through the SMTP protocol, then disable this option.</P>"
        ),
        "DISABLE_RESTART_ON_UPDATE"                 => _(
          "<P>If a package containing a service that is currently running is being\n" \
            "updated, the service is restarted after the files in the package have been\n" \
            "installed.</P><P>This makes sense in most cases, and it is safe to do,\n" \
            "considering that many services either need their binaries or configuration\n" \
            "files accessible in the file system. Otherwise these services would continue\n" \
            "to run until the services are stopped, e.g. running daemons are\n" \
            "killed.</P><P>This setting should only be changed if there is a specific\n" \
            "reason to do so.</P>"
        ),
        "DISABLE_STOP_ON_REMOVAL"                   => _(
          "<P>If a package containing a service that is currently running is being\n" \
            "uninstalled, the service is stopped before the files of the package are\n" \
            "removed.</P><P>This makes sense in most cases, and it is safe to do,\n" \
            "considering that many services either need their binaries or configuration\n" \
            "files accessible in the file system. Otherwise these services would continue\n" \
            "to run until they are stopped, e.g. running daemons are\n" \
            "killed.</P><P>This setting should only be changed if there is a specific\n" \
            "reason to do so.</P>"
        ),
        "net.ipv4.tcp_syncookies"                   => _(
          "<P>A system can be overwhelmed with numerous connection attempts so that the system runs out of memory, leading to a Denial of Service (DoS) vulnerability.</P><P>The use of syncookies is a method that can help in such situations. But in configurations with a very large number of legitimate connection attempts from one source, the <EM>Enabled</EM> setting can cause problems with denied TCP connections under high load.</P><P>Still, for most environments, syncookies are the first line of defense against SYN flood DoS attacks, so the secure setting is <EM>Enabled</EM>.</P>"
        ),
        "net.ipv4.ip_forward"                       => _(
          "<P>IP forwarding means to pass on network packets that have been received, but that are not destined for one of the system's configured network interfaces, e.g. network interface addresses.</P><P>If a system forwards network traffic on ISO/OSI layer 3, it is called a router. If you do not need that routing functionality, then disable this option.</P>"
        ) +
          _("<P>This setting applies to <EM>IPv4</EM> only.</P>"),
        "net.ipv6.conf.all.forwarding"              => _(
          "<P>IP forwarding means to pass on network packets that have been received, but that are not destined for one of the system's configured network interfaces, e.g. network interface addresses.</P><P>If a system forwards network traffic on ISO/OSI layer 3, it is called a router. If you do not need that routing functionality, then disable this option.</P>"
        ) +
          _("<P>This setting applies to <EM>IPv6</EM> only.</P>"),
        "kernel.sysrq"                              => _(
          "<P>Magic SysRq Keys enable some control over the system even if it crashes (e.g. during kernel debugging) or if the system does not respond.</P>"
        ),
        "PERMISSION_SECURITY"                       => _(
          "<P>There are predefined file permissions in /etc/permissions.* files. The most restrictive file permissions are defined 'secure' or 'paranoid' file.</P>"
        ),
        "MANDATORY_SERVICES"                        => _(
          "<P>Basic system services must be enabled to provide system consistency and to run the security-related services.</P>"
        ),
        "EXTRA_SERVICES"                            => _(
          "<P>Every running service is a potential target of a security attack. Therefore it is recommended to turn off all services which are not used by the system.</P>"
        )
      }
    end

    def boot_dialog_help
      help = _(
        "<p><b><big>Boot Security</big></b></p>\n<p>In this dialog, change various boot settings related to security.</p>"
      )

      if ::Security::CtrlAltDelConfig.default == "reboot"
        # TRANSLATORS: part of help text - default action (the default is
        # reboot)
        details = _(
          "Usually the system reboots. Sometimes it is desirable\n" \
            "to ignore this event, for example, when the system serves as both\n" \
            "workstation and server."
        )
      else
        # TRANSLATORS: part of help text - default action (the default is halt)
        details = _(
          "By default the system halts but sometimes it is desirable\n" \
            "to ignore this event, for example, when the system serves as both\n" \
            "workstation and server."
        )
      end

      # Boot dialog help 2/4
      # TRANSLATORS: %s is help text - default action
      help += _(
        "<p><b>Interpretation of Ctrl + Alt + Del</b>:\n" \
          "Configure what the system should do in response to\n" \
          "someone at the console pressing the CTRL + ALT + DEL key\n" \
          "combination. %s</p>"
      ) % details

      if @display_manager
        # Boot dialog help 3/4
        help += _(
            "<p><b>Shutdown Behaviour of Login Manager</b>:\nSet who is allowed to shut down the machine from %s.</p>\n"
          ) % @display_manager.name.upcase +
          # Boot dialog help 4/4
          _(
            "<p><b>Hibernate System</b>:\n" \
              "Set the conditions for allowing users to hibernate the system. By default, user on active console has such right.\n" \
              "Other options are allowing the action to any user or requiring authentication in all cases.</p>\n"
          )
      end

      help
      # EOF
    end
  end
end

1	# encoding: utf-8
2
3	# ------------------------------------------------------------------------------
4	# Copyright (c) 2006-2012 Novell, Inc. All Rights Reserved.
5	#
6	#
7	# This program is free software; you can redistribute it and/or modify it under
8	# the terms of version 2 of the GNU General Public License as published by the
9	# Free Software Foundation.
10	#
11	# This program is distributed in the hope that it will be useful, but WITHOUT
12	# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
13	# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
14	#
15	# You should have received a copy of the GNU General Public License along with
16	# this program; if not, contact Novell, Inc.
17	#
18	# To contact Novell about this file by physical or electronic mail, you may find
19	# current contact information at www.novell.com.
20	# ------------------------------------------------------------------------------
21
22	# File: include/security/helps.ycp
23	# Module: Security configuration
24	# Summary: Helps definition
25	# Authors: Michal Svec <msvec@suse.cz>
26	#
27	# $Id$
28	#
29	# This file contains all helps for the security module screens.
30	# They are in one huge map called HELPS.
31	module Yast	×
32	module SecurityHelpsInclude	×
33	def initialize_security_helps(include_target)	×
34	textdomain "security"	×
35
36	@display_manager = Security.display_manager	×
37
38	# All helps are here
39	@HELPS = {	×
40	# Read dialog help 1/2
41	"read" => _(	×
42	"<p><b><big>Initializing Security Configuration</big></b>\n<br>Please wait...<br></p>"	×
43	) +	×
44	# Read dialog help 2/2
45	_(	×
46	"<p><b><big>Aborting the Initialization</big></b><br>\nSafely abort the configuration utility by pressing <b>Abort</b> now.</p>"	×
47	),	×
48	# Write dialog help 1/2
49	"write" => _(	×
50	"<p><b><big>Saving Security Configuration</big></b>\n<br>Please wait...<br></p>"	×
51	) +	×
52	# Write dialog help 2/2
53	_(	×
54	"<p><b><big>Aborting Saving</big></b><br>\nAbort the save procedure by pressing <b>Abort</b>.</p>"	×
55	),	×
56	# Boot dialog help 1/4
57	"boot" => boot_dialog_help,	×
58	# Main dialog help 1/8
59	"main" => _(	×
60	"<P><BIG><B>Configuring Local Security</B></BIG></P>\n" \	×
61	"<p>Using predefined defaults, change the local security settings, which include\n" \	×
62	" booting, login, password, user creation, and file permissions. The default\n" \	×
63	" settings can be modified as needed.\n" \	×
64	"</p>"	×
65	) +	×
66	# Main dialog help 5/8
67	_(	×
68	"<p><b>Workstation</b>: For a computer connected\nto any type of network including the Internet.</p>"	×
69	) +	×
70	# Main dialog help 6/8
71	_(	×
72	"<p><b>Roaming Device</b>: For a laptop, tablet or similar device\nthat connects to different networks.</p>"	×
73	) +	×
74	# Main dialog help 7/8
75	_(	×
76	"<p><b>Network Server</b>: For a computer that provides\nany type of service.</p>"	×
77	) +	×
78	# Main dialog help 8/8
79	_("<p><b>Custom Settings</b>: Create your own configuration.</p>"),	×
80	# Login dialog help 1/4
81	"login" => _(	×
82	"<p><big><b>Login Security</b></big></p>\n" \	×
83	"<p>These login settings\n" \	×
84	"are mainly stored in the /etc/login.defs file.</p>"	×
85	) +	×
86	# Login dialog help 2/4
87	_(	×
88	"<p><b>Delay after Incorrect Login Attempt:</b>\n" \	×
89	"It is advisable to wait some time after an incorrect login attempt to prevent\n" \	×
90	"password guessing. Make the time small enough that users do not need to wait to\n" \	×
91	"retry if a password is mistyped. A sensible value is three seconds (<tt>3</tt>).</p>"	×
92	) +	×
93	# Login dialog help 3/4
94	_(	×
95	"<p><b>Record Successful Login Attempts:</b> Logging successful login\n" \	×
96	"attempts is useful. It can warn you of unauthorized access to the\n" \	×
97	"system (for example, a user logging in from a different location than usual).\n" \	×
98	"</p>\n"	×
99	) +	×
100	# Login dialog help 4/4
101	_(	×
102	"<p><b>Allow Remote Graphical Login:</b> Checking this allows access\n" \	×
103	"to a graphical login screen for this machine over the network. Remote access\n" \	×
104	"to your machine using a display manager might be a security risk.</p>"	×
105	),	×
106	# Password dialog help 1/8
107	"password" => _(	×
108	"<p>These password settings\nare mainly stored in the /etc/login.defs file.</p>"	×
109	) +	×
110	# Password dialog help 2/8
111	_(	×
112	"<p><b>Check New Passwords</b>: It is wise to choose a password that\n" \	×
113	"cannot be found in a dictionary and is not a name or other simple, common word.\n" \	×
114	"By checking the box, enforce password checking in regard to these rules.</p>"	×
115	) +	×
116	# Password dialog help
117	_(	×
118	"<p><b>Minimum Acceptable Password Length:</b>\n" \	×
119	"The minimum acceptable size for the new password reduced by the number\n" \	×
120	"of different character classes (other, upper, lower and digit) used in the new\n" \	×
121	"password. See man pam_cracklib for a more detailed explanation.\n" \	×
122	"This option can only be modified when <b>Check New Passwords</b> is set.</p>"	×
123	) +	×
124	# Password dialog help 4/8
125	_(	×
126	"<p><b>Passwords to Remember</b>:\n" \	×
127	"Enter the number of user passwords to store and prevent the user from reusing.\n" \	×
128	"Enter 0 if passwords should not be stored.</p>"	×
129	) +	×
130	# Password dialog help 5a/8
131	_("<p><b>Password Encryption Method:</b></p>") +	×
132	# Password dialog help 5b/8
133	_(	×
134	"<p><b>DES</b>, the Linux default method, works in all network environments,\n" \	×
135	"but it restricts you to passwords no longer than eight characters. If you need\n" \	×
136	"compatibility with other systems, use this method.</p>"	×
137	) +	×
138	# Password dialog help 5c/8
139	_(	×
140	"<p><b>MD5</b> allows longer passwords and is supported by all current Linux \ndistributions, but not by other systems or old software.</p>"	×
141	) +	×
142	# Password dialog help 5d/8
143	_(	×
144	"<p><b>SHA-512</b> is the current standard hash method, using other algorithms is not recommended unless needed for compatibility purpose.</p>"	×
145	) +	×
146	# Password dialog help 7/8
147	_(	×
148	"<p><b>Password Age:</b> Set the minimum and\nmaximum number of days a password may be used.</p>"	×
149	) +	×
150	# Password dialog help 8/8
151	_(	×
152	"<p><b>Days before Password Expires Warning</b>: This entry sets the\n" \	×
153	"number of days users are warned before their passwords expire. The longer the\n" \	×
154	"time, the less likely it is that someone can guess passwords.</p>"	×
155	),	×
156	# Adduser dialog help 1/2
157	"adduser" => _(	×
158	"<p><big><b>User Security</b></big></P>\n<p>In this dialog, change various settings used to create users.</p>"	×
159	) +	×
160	# Adduser dialog help 2/3
161	_(	×
162	"<p><b>User ID Limitations:</b>\nSet the minimum and maximum possible user ID.</p>"	×
163	) +	×
164	# Adduser dialog help 3/3
165	_(	×
166	"<p><b>Group ID Limitations</b>:\nSet the minimum and maximum possible group ID.</p>"	×
167	),	×
168	# Misc dialog help 1/14
169	"misc" => _(	×
170	"<p><big><b>Other Security Settings</b></big></P>\n<p>In this dialog, change miscellaneous settings related to local security.</p>"	×
171	) +	×
172	# Misc dialog help 2/14
173	_(	×
174	"<p><b>File Permissions</b>: Settings for the permissions\n" \	×
175	"of certain system files are set according to the data in /etc/permissions.secure\n" \	×
176	"or /etc/permissions.easy. Which file is used depends on this selection.\n" \	×
177	"Launching SuSEconfig sets these permissions according to /etc/permissions.*.\n" \	×
178	"This fixes files with incorrect permissions, whether this occurred accidentally\n" \	×
179	"or by intruders.</p><p>\n" \	×
180	"With <b>Easy</b>, most of the system files that are only readable by root\n" \	×
181	"in Secure are modified so other users can also read these files.\n" \	×
182	"Using <b>Secure</b>, certain system files, such as /var/log/messages, can only\n" \	×
183	"be viewed by the user root. Some programs can only be launched by root or by\n" \	×
184	"daemons, not by ordinary users.\n" \	×
185	"The most secure setting is <b>Paranoid</B>. With it, you must\n" \	×
186	"decide which users are able to run X applications and setuid programs.</p>\n"	×
187	) +	×
188	# Misc dialog help 6/14
189	_(	×
190	"<p><b>User Launching updatedb</b>: The program updatedb runs \n" \	×
191	"once a day. It scans your entire file system and creates a database (locatedb)\n" \	×
192	"that stores the location of every file. The database can be searched by the\n" \	×
193	"program \"locate\". Here, set the user that runs this command: <b>nobody</b>\n" \	×
194	" (few files) or <b>root</b> (all files).</p>"	×
195	) +	×
196	# Misc dialog help 10/14
197	_(	×
198	"<p><b>Current Directory in root's Path</b> On a DOS system,\n" \	×
199	"the system first searches for executable files (programs) in the current\n" \	×
200	"directory then in the current path variable. In contrast, a UNIX-like system\n" \	×
201	"searches for them exclusively via the search path (variable PATH).</p>"	×
202	) +	×
203	# Misc dialog help 11/14
204	_(	×
205	"<p><b>Current Directory in the Path of Regular Users</b><br> A DOS\n" \	×
206	"system first searches for executable files (programs) in the current directory\n" \	×
207	"then in the current path variable. In contrast, a UNIX-like system searches\n" \	×
208	"for them exclusively via the search path (variable PATH).</p>"	×
209	) +	×
210	# Misc dialog help 12/14
211	_(	×
212	"<p>Some systems set up a work-around by adding the dot (\".\") to the\n" \	×
213	"search path, enabling files in the current path to be found and executed.\n" \	×
214	"This is highly dangerous because you may accidentally launch unknown programs in\n" \	×
215	"the current directory instead of the usual systemwide files. As a result,\n" \	×
216	"executing <i>Trojan Horses</i>, which exploit this weakness and invade your system,\n" \	×
217	"is rather easy if you set this option.</p>"	×
218	) +	×
219	# Misc dialog help 13/14
220	_(	×
221	"<p>\"yes\": the dot (\".\") is attached to the end of the search\npath of root, making it the last to be searched.</p>"	×
222	) +	×
223	# Misc dialog help 14/14
224	_(	×
225	"<p>\"no\": the user root always must launch programs in the\ncurrent directory prefixed with a \"./\". Example: \"./configure\".</p>"	×
226	) +	×
227	# Misc dialog help 14/14
228	_(	×
229	"<p><b>Enable Magic SysRq Keys</b><br> If you check this option, you\n" \	×
230	"will have some control over the system even if it crashes (for example, during kernel\n" \	×
231	"debugging). For details, see /usr/src/linux/Documentation/sysrq.txt</p>"	×
232	),	×
233	# help text: security overview dialog 1/
234	"overview" => _(	×
235	"<P><B>Security Overview</B><BR>This overview shows the most important security settings.</P>"	×
236	) +	×
237	# help text: security overview dialog 1/
238	_(	×
239	"<P>To change the current value, click the link associated to the option.</P>"	×
240	) +	×
241	# help text: security overview dialog 1/
242	_(	×
243	"<P> A check mark in the <B>Security Status</B> column means that the current value of the option is secure.</P>"	×
244	),	×
245	# an error message (rich text)
246	"unknown_status" => _(	×
247	"<P><B>The current value could not be read. The service is probably not installed or the option is missing on the system.</B></P>"	×
248	)	×
249	}	×
250
251	@help_mapping = {	×
252	"DISPLAYMANAGER_REMOTE_ACCESS" => _(	×
253	"<P>A display manager provides a graphical login screen and can be accessed\n" \	×
254	"across the network by an X server running on another system if so\n" \	×
255	"configured.</P><P>The windows that are being displayed would then transmit\n" \	×
256	"their data across the network. If that network is not fully trusted, then the\n" \	×
257	"network traffic can be eavesdropped by an attacker, gaining access not only to\n" \	×
258	"the graphical content of the display, but also to usernames and passwords that\n" \	×
259	"are being used.</P><P>If you do not need <EM>XDMCP</EM> for remote graphical\n" \	×
260	"logins, then disable this option.</P>"	×
261	),	×
262	"SYSLOG_ON_NO_ERROR" => _(	×
263	"<P>Malfunctions in a system are usually detected by anomalies in its behaviour. Syslog messages about events that reoccur on a regular basis are important to find causes of problems. And the absence of a single record can tell more than the absence of all log records.</P><P>Therefore, syslog messages of system events are only useful if they are present.</P>"	×
264	),	×
265	"DHCPD_RUN_CHROOTED" => _(	×
266	"<P>Chroot execution environments restrict a process to only access files that it needs by placing them in a separate subdirectory and running the process with a changed root (chroot) set to that directory.</P>"	×
267	),	×
268	"DHCPD_RUN_AS" => _(	×
269	"<P>The DHCP client daemon should run as the user <EM>dhcpd</EM> to minimize a possible threat if the service is found vulnerable to a weakness in its program code.</P><P>Note that dhcpd must never run as <EM>root</EM> or with the <EM>CAP_SYS_CHROOT</EM> capability for the chroot execution confinement to be effective.</P>"	×
270	),	×
271	"DISPLAYMANAGER_ROOT_LOGIN_REMOTE" => _(	×
272	"<P>Administrators should never log on as <EM>root</EM> into an X Window session to minimize the usage of the root privileges.</P><P>This option does not help against careless administrators, but shall prevent attackers to be able to log on as <EM>root</EM> via the display manager if they guess or otherwise acquire the password.</P>"	×
273	),	×
274	"DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN" => _(	×
275	"<P>X Window clients, e.g. programs that open a window on your display, connect\n" \	×
276	"to the X server that runs on the physical machine. Programs can also run on a\n" \	×
277	"different system and display their content on the X server through network\n" \	×
278	"connections.</P><P>When enabled, the X server listens on a port 6000 plus the\n" \	×
279	"display number. Since network traffic is transferred unencrypted and therefore\n" \	×
280	"subject to network sniffing, and since the port held open by the X server\n" \	×
281	"offers attack options, the secure setting is to disable it.</P><P>To display X\n" \	×
282	"Window clients across a network, we recommend the use of secure shell (<EM>ssh</EM>), which allows the X Window clients to connect to the X server through the encrypted ssh connection.</P>"	×
283	),	×
284	"SMTPD_LISTEN_REMOTE" => _(	×
285	"<P>The email delivery subsystem is always started. However, it does not expose\nitself outside the system by default, since it does not listen on the SMTP network port 25.</P><P>If you do not deliver emails to your system through the SMTP protocol, then disable this option.</P>"	×
286	),	×
287	"DISABLE_RESTART_ON_UPDATE" => _(	×
288	"<P>If a package containing a service that is currently running is being\n" \	×
289	"updated, the service is restarted after the files in the package have been\n" \	×
290	"installed.</P><P>This makes sense in most cases, and it is safe to do,\n" \	×
291	"considering that many services either need their binaries or configuration\n" \	×
292	"files accessible in the file system. Otherwise these services would continue\n" \	×
293	"to run until the services are stopped, e.g. running daemons are\n" \	×
294	"killed.</P><P>This setting should only be changed if there is a specific\n" \	×
295	"reason to do so.</P>"	×
296	),	×
297	"DISABLE_STOP_ON_REMOVAL" => _(	×
298	"<P>If a package containing a service that is currently running is being\n" \	×
299	"uninstalled, the service is stopped before the files of the package are\n" \	×
300	"removed.</P><P>This makes sense in most cases, and it is safe to do,\n" \	×
301	"considering that many services either need their binaries or configuration\n" \	×
302	"files accessible in the file system. Otherwise these services would continue\n" \	×
303	"to run until they are stopped, e.g. running daemons are\n" \	×
304	"killed.</P><P>This setting should only be changed if there is a specific\n" \	×
305	"reason to do so.</P>"	×
306	),	×
307	"net.ipv4.tcp_syncookies" => _(	×
308	"<P>A system can be overwhelmed with numerous connection attempts so that the system runs out of memory, leading to a Denial of Service (DoS) vulnerability.</P><P>The use of syncookies is a method that can help in such situations. But in configurations with a very large number of legitimate connection attempts from one source, the <EM>Enabled</EM> setting can cause problems with denied TCP connections under high load.</P><P>Still, for most environments, syncookies are the first line of defense against SYN flood DoS attacks, so the secure setting is <EM>Enabled</EM>.</P>"	×
309	),	×
310	"net.ipv4.ip_forward" => _(	×
311	"<P>IP forwarding means to pass on network packets that have been received, but that are not destined for one of the system's configured network interfaces, e.g. network interface addresses.</P><P>If a system forwards network traffic on ISO/OSI layer 3, it is called a router. If you do not need that routing functionality, then disable this option.</P>"	×
312	) +	×
313	_("<P>This setting applies to <EM>IPv4</EM> only.</P>"),	×
314	"net.ipv6.conf.all.forwarding" => _(	×
315	"<P>IP forwarding means to pass on network packets that have been received, but that are not destined for one of the system's configured network interfaces, e.g. network interface addresses.</P><P>If a system forwards network traffic on ISO/OSI layer 3, it is called a router. If you do not need that routing functionality, then disable this option.</P>"	×
316	) +	×
317	_("<P>This setting applies to <EM>IPv6</EM> only.</P>"),	×
318	"kernel.sysrq" => _(	×
319	"<P>Magic SysRq Keys enable some control over the system even if it crashes (e.g. during kernel debugging) or if the system does not respond.</P>"	×
320	),	×
321	"PERMISSION_SECURITY" => _(	×
322	"<P>There are predefined file permissions in /etc/permissions.* files. The most restrictive file permissions are defined 'secure' or 'paranoid' file.</P>"	×
323	),	×
324	"MANDATORY_SERVICES" => _(	×
325	"<P>Basic system services must be enabled to provide system consistency and to run the security-related services.</P>"	×
326	),	×
327	"EXTRA_SERVICES" => _(	×
328	"<P>Every running service is a potential target of a security attack. Therefore it is recommended to turn off all services which are not used by the system.</P>"	×
329	)	×
330	}	×
331	end	×
332
333	def boot_dialog_help	×
334	help = _(	×
335	"<p><b><big>Boot Security</big></b></p>\n<p>In this dialog, change various boot settings related to security.</p>"	×
336	)	×
337
338	if ::Security::CtrlAltDelConfig.default == "reboot"	×
339	# TRANSLATORS: part of help text - default action (the default is
340	# reboot)
341	details = _(	×
342	"Usually the system reboots. Sometimes it is desirable\n" \	×
343	"to ignore this event, for example, when the system serves as both\n" \	×
344	"workstation and server."	×
345	)	×
346	else	×
347	# TRANSLATORS: part of help text - default action (the default is halt)
348	details = _(	×
349	"By default the system halts but sometimes it is desirable\n" \	×
350	"to ignore this event, for example, when the system serves as both\n" \	×
351	"workstation and server."	×
352	)	×
353	end	×
354
355	# Boot dialog help 2/4
356	# TRANSLATORS: %s is help text - default action
357	help += _(	×
358	"<p><b>Interpretation of Ctrl + Alt + Del</b>:\n" \	×
359	"Configure what the system should do in response to\n" \	×
360	"someone at the console pressing the CTRL + ALT + DEL key\n" \	×
361	"combination. %s</p>"	×
362	) % details	×
363
364	if @display_manager	×
365	# Boot dialog help 3/4
366	help += _(	×
367	"<p><b>Shutdown Behaviour of Login Manager</b>:\nSet who is allowed to shut down the machine from %s.</p>\n"	×
368	) % @display_manager.name.upcase +	×
369	# Boot dialog help 4/4
370	_(	×
371	"<p><b>Hibernate System</b>:\n" \	×
372	"Set the conditions for allowing users to hibernate the system. By default, user on active console has such right.\n" \	×
373	"Other options are allowing the action to any user or requiring authentication in all cases.</p>\n"	×
374	)	×
375	end	×
376
377	help	×
378	# EOF
379	end	×
380	end	×
381	end	×

yast / yast-security / 4251698580

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous