Date: Wed, 7 Mar 2001 19:05:06 -0800 (PST) From: dima@unixfreak.org To: FreeBSD-gnats-submit@freebsd.org Subject: docs/25599: [PATCH] New FAQ entry: describe sysinstall security profiles Message-ID: <200103080305.f28356S07116@spike.unixfreak.org>
next in thread | raw e-mail | index | archive | help
>Number: 25599
>Category: docs
>Synopsis: [PATCH] New FAQ entry: describe sysinstall security profiles
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 07 19:10:02 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Dima Dorfman
>Release: FreeBSD 5.0-20010225-CURRENT i386
>Organization:
Private
>Environment:
System: FreeBSD spike.unixfreak.org 5.0-20010225-CURRENT FreeBSD 5.0-20010225-CURRENT #9: Sun Feb 25 22:49:27 PST 2001 dima@spike.unixfreak.org:/c/home/dima/w/f/src/sys/compile/SPIKE i386
>Description:
Since security profiles were introduced in sysinstall, two things
happened. First, a lot of people started having problems installing
kernels, et cetera because the High and Extreme security profiles
raised securelevel. Second, a lot of people wanted to know exactly
what those security profiles do. The first problem has pretty much
been dealt with by appropriate additions to the FAQ. The second
problem remains.
The patch below adds another FAQ entry describing the different
security profiles to the Installation chapter.
>How-To-Repeat:
Read -questions.
>Fix:
Apply the following to doc/en_US.ISO_8859-1/books/faq/book.sgml:
Index: book.sgml
===================================================================
RCS file: /st/src/FreeBSD/doc/en_US.ISO_8859-1/books/faq/book.sgml,v
retrieving revision 1.147
diff -u -r1.147 book.sgml
--- book.sgml 2001/02/28 22:47:51 1.147
+++ book.sgml 2001/03/08 03:00:41
@@ -2421,6 +2421,170 @@
</answer>
</qandaentry>
+
+ <qandaentry>
+ <question id="security-profiles">
+ <para>What are these <quote>security profiles</quote>?</para>
+ </question>
+
+ <answer>
+ <para>A <quote>security profile</quote> is a set of configuration
+ options that attempts to achieve the desired ratio of security
+ to convenience by enabling and disabling certain programs and
+ other settings. The more severe the security profile, the less
+ programs will be enabled by default; this is one of the basic
+ principles of security: do not run anything except what you
+ must.</para>
+
+ <para>Please note that the security profile is just a default
+ setting. All programs can be enabled and disabled after you've
+ installed FreeBSD by editing or adding the appropriate line(s)
+ to <filename>/etc/rc.conf</filename>. For more information on
+ the latter, please see the &man.rc.conf.5; manual page.</para>
+
+ <para>Following is a table that describes what each security
+ profile does. The columns are the choices you have for a
+ security profile, and the rows are the program or feature that
+ is enabled or disabled.</para>
+
+ <table>
+ <title>Possible security profiles</title>
+
+ <tgroup cols=5>
+ <thead>
+ <row>
+ <entry></entry>
+
+ <entry>Extreme</entry>
+
+ <entry>High</entry>
+
+ <entry>Moderate</entry>
+
+ <entry>Low</entry>
+ </row>
+ </thead>
+
+ <tbody>
+ <row>
+ <entry>&man.inetd.8;</entry>
+
+ <entry>NO</entry>
+
+ <entry>NO</entry>
+
+ <entry>YES</entry>
+
+ <entry>YES</entry>
+ </row>
+
+ <row>
+ <entry>&man.sendmail.8;</entry>
+
+ <entry>NO</entry>
+
+ <entry>YES</entry>
+
+ <entry>YES</entry>
+
+ <entry>YES</entry>
+ </row>
+
+ <row>
+ <entry>&man.sshd.8;</entry>
+
+ <entry>NO</entry>
+
+ <entry>YES</entry>
+
+ <entry>YES</entry>
+
+ <entry>YES</entry>
+ </row>
+
+ <row>
+ <entry>&man.portmap.8;</entry>
+
+ <entry>NO</entry>
+
+ <entry>NO</entry>
+
+ <entry>[1]</entry>
+
+ <entry>YES</entry>
+ </row>
+
+ <row>
+ <entry>NFS server</entry>
+
+ <entry>NO</entry>
+
+ <entry>NO</entry>
+
+ <entry>YES</entry>
+
+ <entry>YES</entry>
+ </row>
+
+ <row>
+ <entry>man.securelevel.XXX</entry>
+
+ <entry>YES (2) [2]</entry>
+
+ <entry>YES (1) [2]</entry>
+
+ <entry>NO</entry>
+
+ <entry>NO</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <para>Notes:</para>
+
+ <para>
+ <orderedlist>
+ <listitem>
+ <para>The portmapper is enabled if the machine has been
+ configured as an NFS client or server earlier in the
+ installation.</para>
+ </listitem>
+
+ <listitem>
+ <para>If you choose a security profile that sets the
+ securelevel (Extreme or High), you must be aware of the
+ implications. Please read the &man.init.8; manual page
+ and pay particular attention to the meanings of the
+ security levels, or you may have significant trouble
+ later!</para>
+ </listitem>
+ </orderedlist>
+ </para>
+
+ <para>
+ <warning>
+ <para>The security profile is not a silver bullet! Setting
+ it high does not mean you do have to keep up with security
+ issues by reading an appropriate <ulink
+ url="../handbook/eresources.html#ERESOURCES-MAIL">mailing
+ list</ulink>, using good passwords and passphrases, and
+ generally adhering to good security practices. It simply
+ sets up the desired security to convenience ration out of
+ the box.</para>
+ </warning>
+
+ <note>
+ <para>The security profile mechanism is meant to be used
+ when you first install FreeBSD. If you already have
+ FreeBSD installed, it would probably be more beneficial to
+ simply enable or disable the desired functionality. If
+ you really want to use a security profile, you can re-run
+ &man.sysinstall.8; to set it.</para>
+ </note>
+ </para>
+ </answer>
+ </qandaentry>
</qandaset>
</chapter>
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103080305.f28356S07116>