Subtitles of the Movie

In addition to some of the other security measures that we've looked at with regard to users, there are some other ones we need to look at as well. There's some other security measures that we can configure on our openSUSE box that are found in the local security applet in YaST. And some of these are kind of a hodgepodge or miscellaneous mix of security settings, but there's some very good settings. I'll talk about each one of them and then we'll take a look at them. Some of the measures we can configure in the local security applet include security settings that are based upon the type of computer environment you have, such as a computer at home or computer at work, like a networked workstation or a server and so forth. You can configure settings based upon that network environment that really suit your needs. You can also configure password requirements and configurations, such as setting a minimum length and complexity of passwords. Other settings that you can configure include boot settings, login settings, user ID limitations and some miscellaneous settings. We'll go over each one of these right now. We're in the local security applet of security and users in the YaST control center. Let's go ahead and click the local security applet now. It's going to read our settings and it's going to give us the ability to set security settings based upon what kind of environment we have. Now, we can select home workstation, networked workstation or network server. We're going to get different settings based upon how, which one we select or we could go with custom settings and configure everything. Let's go with the networked server or network workstation rather, let's click details and see how that's set up. The first thing we're going to see is password settings. Now, we can choose to check new passwords to make sure they meet complexity requirements and test for complicated passwords. We can also tell the system to remember a certain number of passwords that have already been used so that a user can't keep using the same password over and over again. If we select password encryption method, we get the option to choose between DES, MD5 or Blowfish as the default password encryption method for etc-shadow. Naturally, the Blowfish is the most secure, but if you need compatibility with older applications or systems, you might want to select DES or MD5. Now we can set the minimum acceptable password length and if you've been around security people at all, you know the minimum acceptable length is right about eight characters. There's some discussion as to whether longer is better and usually that's the case. We can set the minimum password age to one or maximum to whatever we like. This prevents the password from being changed too early or from lasting too long. That way it's forced to be changed occasionally. Usually a good bet for passwords is 45 to 90 days, with a minimum of five days. That way the user can't go back and just change their password every single day until they get the one they like. We can configure the days before the password expires warning, meaning that 14 days before our 90 days is up, they'll start getting little nag notices that says your password needs to be changed. If we click next, we're going to see boot settings. Now, we have two items that we can configure here and one thing I need to mention is for all of these settings, if you look over on the left-hand side of the screen, you'll see an explanation of each settings so that will help you out when you're setting these to make sure you don't accidentally set something the wrong way. The group permissions we can set, the interpretation of the control alt delete key sequence, as we know in Windows, that can reboot the computer or at least get us the task manager. In Linux, we can configure it to be ignored or to reboot the system or to halt the system; whatever we choose. We can also configure the login manager to shutdown the computer, but we can configure it so only certain users can do this, such as only root or every user or no one can or that it's automatic. We can make so that the person must login to shutdown the computer. If we click on next, we'll get login settings and basically the login settings give us three options; a delay after incorrect login attempt, such as six for example. This might be a good amount of time for you, but you might want to delay a little bit so that in case of a brute force attack it doesn't work. You can also record successful login attempts, which you might want to do, but you also might want to record unsuccessful ones as well and there are ways to do that that aren't in this particular configuration setting. You can also allow remote graphical login. That way if someone's remotely accessing your computer and you've given them permission to, they can get the graphical login screen. With the user edition screen, we get limitations on the group IDs and user IDs. Some variations of Linux and UNIX reserve certain IDs, such as zero through a thousand, for example for privileged users and groups. So you might want to start your users at a certain number, such as a thousand or fifteen hundred. If you're going to have more privileged users, you want to group them downwards with other privileged users so you might use zero through fifteen hundred as your privileged user IDs. And the same things with your groups, so that when you start configuring users and adding them, they automatically get user IDs in those ranges and you'll find that some programs actually look for those users IDs that are privileged or not. Some other miscellaneous settings we can look at it file permissions. We can change those to easy, secure or paranoid. And if you look over here, there's an explanation of each of those settings. It says with easy, most of the system files that are only readable by root and secure are modified so other users can also read these files. Using secure, other certain systems files can only be viewed by the user root and paranoid, of course, you must decide which users are able to run X applications and set UID programs. So you can change these around to make it very easy or paranoid. Now, you can also configure the user launching the update DB file and basically this database scans the entire system once a day and you can set the user to run this command; nobody for a few files or root which is all files. You can mark this for the current directory and roots path, the current directory and the path of regular users or enable the magic sysreq keys. Now, again, if you look here on the side, you can get explanations of what those particular settings mean. If we click finish, it's going to write the security files and that's it and now there's much more to local security than what we've covered in just looking at this applet. There's other things that we need to be able to do, such as set up applications security, firewalls and so forth and we're going to cover that a little bit more in-depth later on in the course.