YaST/Modules/Education/Planning/Requirements

From openSUSE

Overview

The YaST Education module will provide a simple way for parents, teachers, and administrators to configure systems to be used by children, whether in an academic setting, or on a home system. With intuitiveness and ease of use as its primary goals -- given the limited technical expertise that parents and teachers may have -- the module will run during the installation workflow of the Education add-on to allow a functional system to be configured and locked down as needed. Planned features of the module include:

• Selecting whether or not the system will be a desktop computer or a school server (planned for the second revision of the module)
• Selecting the age groups that will use the system, and installing software specific to those age groups
• Creating groups of students, and assigning Sabayon/Kiosk tool profiles to each group to lock down the system
• Creating students and assigning them to student groups
• Batch creating students by importing from comma-separated value (CSV) files
• Configuring web filtering settings on a per-group basis to protect children from inappropriate content on the web
• Configuring access time restrictions on a per-group basis to force children to logoff at specified times
• Configuring firewall settings on a per-group basis to restrict the network applications that can be used

The module will run in the installation workflow as a wizard, but will provide an expert mode so that settings can easily be changed by rerunning the moduleafter after installation, without having the go through every screen of the wizard. For an example of this, see the dns-server module.

This document provides a discussion of the features planned for the module. The module is being written by Jeff Shantz as a Google Summer of Code 2009 project, with input from Marek Stopka, J. Daniel Schmidt (the original creator of the module), and several members of the opensuse-edu mailing list.

Goals

This project aims to produce a wizard that can be used by parents and teachers to configure and lock down a system to protect both the children/students using the system, as well as the system itself. Accordingly, the module strives to:

• Present a user-friendly and intuitive workflow
• Avoid overwhelming the user with technical details
• Provide a powerful way to lock down a system

At all times during the construction of this module, the target audience of the module will kept in mind. Advanced features that may confuse some users will be placed behind "Advanced" buttons and made optional to avoid complicating matters for those who may have limited technical knowledge.

Module Workflow

This section presents a description of the screens that the wizard will present to the user, detailing the functionality presented by the module.

Step 1: Intended System Use

NOTE: This screen will not be placed in the first revision of the module. If time allows after all requirements in this document have been satisfied, then adding the ability to install server applications will be added to the module. In the meantime, the focus will first be placed on configuring a system for end users.

The first screen of the wizard will prompt the user to select the intended use of the system. The selection made on this screen controls what screens the wizard will display in later steps. Two options will be provided:

• Home, classroom, or lab computer
• School server

The Home, classroom, or lab computer option should be selected if the system is to be used directly by children and will take the user to Step 2.

The School server option should be selected if the system is to act as a server, and will allow the user to install packages such as Open School Server, openSIS, OpenBiblio, and so on. This option skip steps 2 through 6, and will provide a screen to select the packages that should be installed on the server. I am open to suggestions on what should be installable and how it should be done.

Open question: What happens if the user selects "Home, classroom, or lab computer" on the first run through the wizard, and then reruns the module and selects "School server" on the second run? Do we uninstall all apps installed for the students/children, or just leave them on the system? What about all the users/groups created? Keep them or remove them?

Step 2: Target Age Groups

This step will prompt the user to select the age groups that will be using the system. This will affect what packages will be installed at the end of the wizard. The idea here is not to replace the functionality of the sw_single module, so users will not be able to select individual packages to install. Instead, they will select one or more age groups that will use the system, and the appropriate education CD patterns will be installed according to their choices. Since only two software patterns currently exist in the Education CD, the options provided will be:

• Children (Under 13)
• Teenagers (13 and older)

These selections will be provided as checkboxes so that both patterns can be installed, if children from both age groups will be using the system.

Selecting the Children option will initiate the installation of the kids-education-desktop pattern at the end of the wizard, if it is not already installed.

Similarly, selecting the Teenagers option will initiate the installation of the youth-education-desktop pattern.

Additional options should eventually be provided to offer more finely-grained targetting of groups of students (e.g. pre-school, elementary school, middle school, high school). This would require new software patterns to be created for the Education CD. Creating these patterns could be added to the Summer of Code project, if time permits at the end of the summer.

Step 3: User and Group Creation

This step will allow the user to create, edit, and delete "education groups", as well as user accounts for the students/children that will be using the system. Similar to the YaST Users module, this step will provided a tabbed interface, with one tab for groups, and one tab for users.

Groups Tab

Education groups are important since the module will allow different sets of rights and restrictions (e.g. Sabayon/Kiosk profiles, firewall settings, filtering options) to be assigned to different groups. Two pre-defined education groups will be available:

• Children (Under 13)
• Teenagers (13 and older)

A list of existing education groups will be displayed. Note: Only groups created as "education groups" will be listed here. Other groups -- such as those created in the YaST Users module -- will not be visible here. The following four buttons will be displayed below the list of education groups:

• Add
• Edit
• Delete
• Import

Add/Edit Education Group

This screen will allow the creation of a new education group. The user will be prompted to enter the following details:

• Friendly name (e.g. Grade 6 class)
• Group name (e.g. grade6)
• Age Range: ___ to ___

A Suggestion button will also be provided to create a group name based on the friendly name entered. The Friendly name will be used to refer to the group within the module. The Group name is the actual name of the group that will be created on the system.

The age range will be used to determine which Sabayon/Kiosk tool profiles to apply to the group. If the user enters an age range between 0 and 12, then the Sabayon/Kiosk profile for the Kids group will be assigned to the group. If the age range entered includes values greater than 13, then the Sabayon/Kiosk profile for the Teenagers group will be assigned to the group.

Alternatively, the user can choose to assign custom profiles to the group by clicking the Advanced button. On this screen, the user will be asked to enter the paths to the profiles, which must exist in the filesystem.

Delete Education Group

This button will allow a group to be deleted. If a group still has users associated with it, the user will be prompted to first remove all members from the group. Otherwise, the user will be asked to confirm whether or not the group should be deleted and if so, the group will be removed from the system.

Import Education Groups

This button will allow groups to be batch imported from a comma-separated value (CSV) file. The format of the file must be in the form of

"FRIENDLY NAME","GROUP NAME","AGE_RANGE_START","AGE_RANGE_END", "SABAYON_PROFILE","KIOSK_TOOL_PROFILE"

with one group per line. The SABAYON_PROFILE and KIOSK_TOOL_PROFILE are optional. If not specified, the appropriate Sabayon/Kiosk tool profiles will be assigned to the group based on the age range specified, as detailed in the Add/Edit Education Group section.

Users tab

On the Users tab, the user can create user accounts for the children/students that will be using the system, and assign them to a specific education group. The tab will provide a list of the child/student user accounts already created on the system, along with buttons for adding, editing, deleting, and importing new users. Note: This tab is intended to manipulate only users in education groups, and therefore only users that have been added to an education group will be displayed. Similarly, when creating a new user on this tab, only education groups can be selected for the user's group.

The following buttons will be provided:

• Add
• Edit
• Delete
• Import

Add/Edit User

This screen will allow a new user to be created, or an existing user to be edited. The user can specify the following details:

• Full name
• Username
• Password
• Confirm Password
• Education Group (drop down list)
• Automatic Login (checkbox)
• Disable User Login (checkbox)

A Suggestion button will also be provided to create a username based on the full name entered. The Education Group drop down list will contain a list of all education groups that have been created. The user can then select the group to which the user should be assigned.

Delete User

When clicked, this button will ask the user to confirm whether or not to delete the selected user. If the user confirms his/her choice, the selected user is deleted from the system.

Import Users

This button will allow users to be batch imported from a comma-separated value (CSV) file. The format of the file must be in the form of

"FULL_NAME","USERNAME","EDUCATION_GROUP_NAME","PASSWORD", "AUTOMATIC_LOGIN","DISABLE_LOGIN"

with one user per line. The AUTOMATIC_LOGIN and DISABLE_LOGIN fields must either be TRUE or FALSE.

Step 4: Web Filtering

This step of the wizard will provide the following checkbox at the top of the page:

"I would like to restrict the web content that can be viewed by users of this system"

By default, this box will be unchecked. If the user checks this box, a list of education groups below as well as a number of buttons will be enabled. Additionally, checking this box will cause Dansguardian and Squid to be installed and enabled at the end of the wizard.

The listbox will contain a list of all education groups created in the Users/Groups step. Below the listbox, an Edit Restrictions button will be available, allowing the user to select an education group from the list and edit the web content restrictions associated with that group.

When the user clicks the Edit Restrictions button, a screen will appear with the following tabs:

• Restrict by address
• Restrict by phrase
• Restrict by file extension
• Reporting

Note: Some believe that filtering should be the responsibility of another YaST module. While this is a valid point, it is the goal of this module to provide an intuitive and comprehensive means to lock down a system. Filtering is an important part of overall system security, and therefore is within the scope of this module. The Dansguardian configuration will be handled by an SCR module that I will develop that can easily be used by someone else wishing to create a dedicated Dansguardian YaST module, should one ever wish to develop such a module.

Restrict by address

This tab will allow the user to designate specific URLs to be whitelisted/blacklisted. At the top of the tab, the following radio buttons will be presented:

• Allow all sites except for those listed below
• Block all sites except for those listed below

Below this, a text box will be present, with an Add button beside it. A listbox will all added URLs will then be present, along with a Delete button to remove whitelisted/blacklisted sites.

Restrict by phrase

This tab will allow the user to block web sites that contain specific keywords or phrases. It will simply consist of a Keyword/Phrase to Block textbox, along with an Add button. Below, a listbox will contain all the keywords/phrases already blocked, and a Delete button will be provided to remove blocked keywords/phrases.

Restrict by file extension

This tab allows the user to block downloaded content by file extension. Dansguardian also allows users to block by MIME type, but knowledge of MIME types can be considered to be rather advanced, so this module will not support filtering by MIME type. Nevertheless, file extension blocking should provide a reasonably efficient means of preventing users from downloading/accessing content that could potentially be objectionable, such as movie files.

The tab will provide a File extension textbook, along with an Add button. Below, a listbox will contain all the extensions already blocked, and a Delete button will be provided to remove blocked extensions.

Reporting

This tab allows the user to configure reporting on attempts to access blocked material. I am still looking into the best means of providing reporting and will have to update this section later. In any event, this section will allow the user to configure email notifications of attempts to access blocked material.

Step 5: Access Time Restrictions

This step allows the user to specify restrictions at a per-group level on when the system can be used.

As in other steps, a listbox will contain a list of all education groups created in the Users/Groups step. Below the listbox, an Edit Restrictions button will be available, allowing the user to select an education group from the list and edit the access time restrictions associated with that group.

When the user clicks the Edit Restrictions button, a screen will appear with seven checkboxes (for each day of the week), along with Start time and End time fields beside each checkbox. For instance, it might look as follows:

  Allow access on the following days:

  [x] Monday        Start Time: __09:00__    End Time: __20:00__
  [x] Tuesday       Start Time: __09:00__    End Time: __20:00__
  [x] Wednesday     Start Time: __09:00__    End Time: __20:00__
  [x] Thursday      Start Time: __09:00__    End Time: __20:00__
  [x] Friday        Start Time: __09:00__    End Time: __20:00__
  [ ] Saturday      Start Time: _________    End Time: _________
  [ ] Sunday        Start Time: _________    End Time: _________
  

  [x] Display warning _5_ minutes before forced logoff

The user can then specify the days/times on which access to the system is allowed for the selected group.

Note: There appears to be no standard way to enforce access restrictions. As such, a cron job will run periodically that will execute a script to enforce these restrictions. The script will detect if the user is running GNOME or KDE, and will display a popup warning at a user-configurable time before forcing a logoff. The module will warn the user that no popup warning will be seen if the user is not running GNOME or KDE.

Step 6: Firewall Settings

This step of the wizard allows the user to configure specific firewall settings for each education group. A list of education groups will be displayed, with an Edit Firewall Settings button displayed below. Clicking this button will allow the settings for a specific education group to be modified. The idea here is to provide a very simple, basic front-end that allows the user to allow/deny access to specific, well-known protocols without having to know the specifics of port numbers and transport protocols (e.g. TCP/UDP).

The editor will display two lists. On the left, an All Protocols listbox will contain a list of well-known network protocols. For instance, we might have something like the following:

• FTP (file transfer)
• HTTP (web)
• HTTPS (secure web)
• IRC
• SMTP (outgoing email)
• POP3 (incoming email)
• IMAP (incoming email)

On the right, a Disallowed Protocols listbox will contain a list of disallowed protocols (those that will be firewalled). In between the two lists, the following buttons will be present:

• << (Remove all protocols from the disallowed list)
• < (Remove the selected protocols from the disallowed list)
• > (Add the selected protocols to the disallowed list)
• >> (Add all protocols to the disallowed list)

Custom firewall settings will not be editable in this module. If the user wishes to block a specific port, then he/she should use the YaST Firewall module.

Step 7: Applying all changes

In this step, all changes made will be applied to the system, and the module will exit.

Future Enhancements

Should time allow after all requirements in this document have been satisfied, the following enhancements and tasks will be completed:

• The ability to configure an education server, as discussed in Step 1 of this document. This would allow the user to install applications such as openSIS, openBiblio, etc.

• The ability to enable a Sugar desktop for specific groups of users.

• The ability to allow different levels of users to use the module. For instance, we might want to allow teachers to configure systems for their classrooms, but we don't want to give them root access.

• Creating more finely grained patterns for the education CD. For instance, we might wish to have different patterns for pre-school, elementary, middle, and high school students. With more patterns, additional options could be added to Step 2 of this module.

• Creating additional RPM packages, as needed, for education software that is not currently packaged for openSUSE. Lars Vogdt sent this link to the Education mailing list on May 20, requesting volunteers to package some of the software mentioned on this site.

Providing Input

If you have any input on the direction of this module, please contact Jeff Shantz, or send email to the Education mailing list:

• opensuse-edu@opensuse.org - Discussion about openSUSE in the education sector

Subscribe | Unsubscribe | Help | Archives