From owner-freebsd-doc Wed Aug 29 14:10:35 2001 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 4D83737B406 for ; Wed, 29 Aug 2001 14:10:07 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7TLA7p03843; Wed, 29 Aug 2001 14:10:07 -0700 (PDT) (envelope-from gnats) Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 77C9E37B406 for ; Wed, 29 Aug 2001 14:06:43 -0700 (PDT) (envelope-from mwlucas@blackhelicopters.org) Received: (from mwlucas@localhost) by blackhelicopters.org (8.9.3/8.9.3) id RAA04371; Wed, 29 Aug 2001 17:06:42 -0400 (EDT) (envelope-from mwlucas) Message-Id: <200108292106.RAA04371@blackhelicopters.org> Date: Wed, 29 Aug 2001 17:06:42 -0400 (EDT) From: mwlucas@blackhelicopters.org Reply-To: mwlucas@blackhelicopters.org To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: docs/30203: description of security profiles in FAQ is just plain wrong Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 30203 >Category: docs >Synopsis: description of security profiles in FAQ is just plain wrong >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Aug 29 14:10:07 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Michael Lucas >Release: FreeBSD 3.5-STABLE i386 >Organization: None >Environment: current -doc tree >Description: Robert Watson recently took an axe to the security profiles available in sysinstall. There are now only two profiles available, moderate & extreme. This is my first -doc patch prepared entirely from reading actual source code, instead of from reading mailing lists. As such, I'm fully prepared to be told that I'm wrong. I've also cleaned up a couple of sentences and corrected some grammar. While I might be wrong on source code, I do know that using both a colon and a semicolon in one sentence is ugly. >How-To-Repeat: read the source of sysinstall >Fix: *** book.sgml-dist Wed Aug 29 13:19:01 2001 --- book.sgml Wed Aug 29 13:44:25 2001 *************** *** 2175,2229 **** ! A security profile is a set of configuration ! options that attempts to achieve the desired ratio of security ! to convenience by enabling and disabling certain programs and ! other settings. The more severe the security profile, the less ! programs will be enabled by default; this is one of the basic ! principles of security: do not run anything except what you ! must. ! ! Please note that the security profile is just a default ! setting. All programs can be enabled and disabled after you have ! installed FreeBSD by editing or adding the appropriate line(s) ! to /etc/rc.conf. For more information on ! the latter, please see the &man.rc.conf.5; manual page. ! ! Following is a table that describes what each security ! profile does. The columns are the choices you have for a ! security profile, and the rows are the program or feature that ! is enabled or disabled. Possible security profiles ! Extreme - High - Moderate - Low - - &man.inetd.8; - - NO - - NO - - YES - - YES - &man.sendmail.8; --- 2175,2216 ---- ! A security profile is a set of ! configuration options that attempts to achieve the desired ! ratio of security to convenience by enabling and disabling ! certain programs and other settings. The more severe the ! security profile, the fewer programs will be enabled by ! default. This is one of the basic principles of security: ! do not run anything except what you must. ! ! Please note that the security profile is just a ! default setting. All programs can be enabled or disabled ! after you have installed FreeBSD by editing or adding the ! appropriate line(s) to /etc/rc.conf. ! For more information, please see the &man.rc.conf.5; ! manual page. ! ! Following is a table that describes what each of the ! security profiles does. The columns are the choices you ! have for a security profile, and the rows are the program ! or feature that the profile enables or disables.
Possible security profiles ! Extreme Moderate &man.sendmail.8; *************** *** 2232,2240 **** YES - YES - - YES --- 2219,2224 ---- *************** *** 2244,2252 **** YES - YES - - YES --- 2228,2233 ---- *************** *** 2254,2261 **** NO - NO - MAYBE The portmapper is enabled if the machine has been configured as an NFS client or server earlier in the --- 2235,2240 ---- *************** *** 2263,2269 **** - YES --- 2242,2247 ---- *************** *** 2271,2281 **** NO - NO - YES - YES --- 2249,2256 ---- *************** *** 2291,2315 **** - YES (1) - NO - NO
! The security profile is not a silver bullet! Setting ! it high does not mean you do not have to keep up with security ! issues by reading an appropriate mailing ! list, using good passwords and passphrases, and ! generally adhering to good security practices. It simply ! sets up the desired security to convenience ratio out of ! the box. --- 2266,2288 ---- NO ! The security profile is not a silver bullet! ! Even the extreme setting does not mean you do not ! have to keep up with security issues by reading an ! appropriate mailing ! list, using good passwords and passphrases, ! and generally adhering to good security practices. ! It simply sets up the desired security to convenience ! ratio out of the box. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message