From owner-freebsd-doc Thu Aug 30 15:33: 2 2001 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A6A3937B403 for ; Thu, 30 Aug 2001 15:32:54 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7UMU1Z66616; Thu, 30 Aug 2001 15:30:01 -0700 (PDT) (envelope-from gnats) Date: Thu, 30 Aug 2001 15:30:01 -0700 (PDT) Message-Id: <200108302230.f7UMU1Z66616@freefall.freebsd.org> To: freebsd-doc@freebsd.org Cc: From: Michael Lucas Subject: Re: docs/30203: description of security profiles in FAQ is just plain wrong Reply-To: Michael Lucas Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR docs/30203; it has been noted by GNATS. From: Michael Lucas To: Dima Dorfman Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: docs/30203: description of security profiles in FAQ is just plain wrong Date: Thu, 30 Aug 2001 18:22:46 -0400 --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Aug 30, 2001 at 03:00:25AM -0700, Dima Dorfman wrote: > Why did all these lines get replaced? Because my fingers are trained to automatically type esc-Q. :) Is this more like it? -- Michael Lucas mwlucas@blackhelicopters.org http://www.blackhelicopters.org/~mwlucas/ Big Scary Daemons: http://www.oreillynet.com/pub/q/Big_Scary_Daemons --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="secprof.2" --- book.sgml-dist Thu Aug 30 11:10:07 2001 +++ book.sgml-secprof Thu Aug 30 11:10:03 2001 @@ -2178,52 +2178,38 @@ A security profile is a set of configuration options that attempts to achieve the desired ratio of security to convenience by enabling and disabling certain programs and - other settings. The more severe the security profile, the less - programs will be enabled by default; this is one of the basic - principles of security: do not run anything except what you - must. + other settings. The more severe the security profile, the fewer + programs will be enabled by + default. This is one of the basic principles of security: + do not run anything except what you must. Please note that the security profile is just a default setting. All programs can be enabled and disabled after you have installed FreeBSD by editing or adding the appropriate line(s) - to /etc/rc.conf. For more information on - the latter, please see the &man.rc.conf.5; manual page. + to /etc/rc.conf. For more information, + please see the &man.rc.conf.5; manual page. - Following is a table that describes what each security - profile does. The columns are the choices you have for a - security profile, and the rows are the program or feature that - is enabled or disabled. + The following table describes what each of the + security profiles does. The columns are the choices you + have for a security profile, and the rows are the program + or feature that the profile enables or disables. Possible security profiles - + Extreme - High - Moderate - Low - - &man.inetd.8; - - NO - - NO - - YES - - YES - &man.sendmail.8; @@ -2232,9 +2218,6 @@ YES - YES - - YES @@ -2244,9 +2227,6 @@ YES - YES - - YES @@ -2254,8 +2234,6 @@ NO - NO - MAYBE The portmapper is enabled if the machine has been configured as an NFS client or server earlier in the @@ -2263,7 +2241,6 @@ - YES @@ -2271,11 +2248,8 @@ NO - NO - YES - YES @@ -2291,19 +2265,16 @@ - YES (1) - NO - NO
- The security profile is not a silver bullet! Setting - it high does not mean you do not have to keep up with security + The security profile is not a silver bullet! Even if you use the + extreme setting, you need to keep up with security issues by reading an appropriate mailing list, using good passwords and passphrases, and @@ -2311,6 +2282,7 @@ sets up the desired security to convenience ratio out of the box. + The security profile mechanism is meant to be used --lrZ03NoBR/3+SXJZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message