From owner-freebsd-security  Fri Sep 22 12:40:22 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194])
	by hub.freebsd.org (Postfix) with ESMTP id 9302137B424
	for <security@freebsd.org>; Fri, 22 Sep 2000 12:40:18 -0700 (PDT)
Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1)
	id 13cYg0-0008b4-00; Fri, 22 Sep 2000 21:40:04 +0200
Date: Fri, 22 Sep 2000 21:40:04 +0200
From: Neil Blakey-Milner <nbm@mithrandr.moria.org>
To: Brett Glass <brett@lariat.org>
Cc: Wes Peters <wes@softweyr.com>, security@FreeBSD.ORG
Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?)
Message-ID: <20000922214004.A33011@mithrandr.moria.org>
References: <200009221435.e8MEZCs11279@cwsys.cwsent.com> <20000922160123.A29787@mithrandr.moria.org> <200009221435.e8MEZCs11279@cwsys.cwsent.com> <20000922165725.A30364@mithrandr.moria.org> <4.3.2.7.2.20000922122414.00c7c420@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <4.3.2.7.2.20000922122414.00c7c420@localhost>; from brett@lariat.org on Fri, Sep 22, 2000 at 12:25:20PM -0600
Organization: Sunesi Clinical Systems
X-Operating-System: FreeBSD 3.3-RELEASE i386
X-URL: http://rucus.ru.ac.za/~nbm/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri 2000-09-22 (12:25), Brett Glass wrote:
> No; the LACK of certain things in the default install and in sysinstall
> leads to tedious work. It'd be nice to do it once and for all.

If you could be so kind as to check out sysinstall and test out jkh's
new security config levels, your feedback would be appreciated.

High security does:
+    variable_set2("inetd_enable", "NO", 1);
+    variable_set2("portmap_enable", "NO", 1);
+    variable_set2("sendmail_enable", "NO", 1);
+    variable_set2("sshd_enable", "NO", 1);
+    variable_set2("nfs_server_enable", "NO", 1);
+    variable_set2("kern_securelevel_enable", "YES", 1);
+    variable_set2("kern_securelevel", "2", 1);

Medium:
+    variable_set2("inetd_enable", "YES", 1);
+    if (!variable_cmp("nfs_client_enable", "YES") ||
+       !variable_cmp("nfs_server_enable", "YES"))
+       variable_set2("portmap_enable", "YES", 1);
+    if (!variable_cmp("nfs_server_enable", "YES"))
+       variable_set2("nfs_reserved_port_only", "YES", 1);
+    variable_set2("sendmail_enable", "YES", 1);
+    variable_set2("sshd_enable", "YES", 1);

Liberal:
+    variable_set2("inetd_enable", "YES", 1);
+    variable_set2("portmap_enable", "YES", 1);
+    variable_set2("sendmail_enable", "YES", 1);
+    variable_set2("sshd_enable", "YES", 1);

Neil
-- 
Neil Blakey-Milner
Sunesi Clinical Systems
nbm@mithrandr.moria.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message