Date: Sat, 9 Dec 2006 14:20:08 GMT From: Niclas Zeising <niclas.zeising@gmail.com> To: freebsd-doc@FreeBSD.org Subject: Re: docs/106494: [patch] add a note regarding the status of the "security profile" setting in sysinstall Message-ID: <200612091420.kB9EK8eO034993@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR docs/106494; it has been noted by GNATS.
From: Niclas Zeising <niclas.zeising@gmail.com>
To: "Simon L. Nielsen" <simon@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: docs/106494: [patch] add a note regarding the status of the "security
profile" setting in sysinstall
Date: Sat, 09 Dec 2006 15:09:51 +0100
This is a multi-part message in MIME format.
--------------000405050905060004040600
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Simon L. Nielsen wrote:
> On 2006.12.08 20:07:05 +0000, Niclas Zeising wrote:
>
>> The security profile option in sysinstall which used to pop up
>> during install is no more. Update docs accordingly, adding a note
>> saying that the option is gone.
>>
>> Maybe we can delete the whole section, the option has been gone since 5.2
>
> I think it would be better to delete it - the handbook doesn't
> document that old releases.
I thought so, wasn't 100% sure so i added the note instead.
Attached is a patch that removes the section entirely instead.
>
>> Note: The whole install chapter probably needs a facelift.
>
> That sounds likely.
>
It will take some thinking through, and new screen shots i think. But we
need a decent install chapter, so people know how to install FreeBSD.
Regards!
//Niclas
--------------000405050905060004040600
Content-Type: text/plain;
name="install.chapter.sgml.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="install.chapter.sgml.diff"
--- doc/en_US.ISO8859-1/books/handbook/install/chapter.sgml.orig 2006-12-08 19:46:36.000000000 +0100
+++ doc/en_US.ISO8859-1/books/handbook/install/chapter.sgml 2006-12-09 15:04:18.000000000 +0100
@@ -2650,184 +2650,6 @@
</sect3>
</sect2>
- <sect2 id="securityprofile">
- <title>Security Profile</title>
-
- <para>A <quote>security profile</quote> is a set of
- configuration options that attempts to achieve the desired
- ratio of security to convenience by enabling and disabling
- certain programs and other settings. The more severe the
- security profile, the fewer programs will be enabled by
- default. This is one of the basic principles of security: do
- not run anything except what you must.</para>
-
- <para>Please note that the security profile is just a default
- setting. All programs can be enabled and disabled after you
- have installed FreeBSD by editing or adding the appropriate
- line(s) to <filename>/etc/rc.conf</filename>. For more
- information, please see the &man.rc.conf.5; manual
- page.</para>
-
- <para>The following table describes what each of the security
- profiles does. The columns are the choices you have for a
- security profile, and the rows are the program or feature that
- the profile enables or disables.</para>
-
- <table>
- <title>Possible Security Profiles</title>
-
- <tgroup cols=3>
- <thead>
- <row>
- <entry></entry>
-
- <entry>Extreme</entry>
-
- <entry>Moderate</entry>
- </row>
- </thead>
-
- <tbody>
-
- <row>
- <entry>&man.sendmail.8;</entry>
-
- <entry>NO</entry>
-
- <entry>YES</entry>
- </row>
-
- <row>
- <entry>&man.sshd.8;</entry>
-
- <entry>NO</entry>
-
- <entry>YES</entry>
- </row>
-
- <row>
- <entry>&man.portmap.8;</entry>
-
- <entry>NO</entry>
-
- <entry>MAYBE
- <footnote>
- <para>The portmapper is enabled if the machine has
- been configured as an NFS client or server earlier
- in the installation.</para>
- </footnote>
- </entry>
- </row>
-
- <row>
- <entry>NFS server</entry>
-
- <entry>NO</entry>
-
- <entry>YES</entry>
- </row>
-
- <row>
- <entry>&man.securelevel.8;</entry>
-
- <entry>YES
- <footnote>
- <para>If you choose a security profile that sets the
- securelevel to <quote>Extreme</quote> or
- <quote>High</quote>, you must be aware of the
- implications. Please read the &man.init.8;
- manual page and pay particular attention to the
- meanings of the security levels, or you may have
- significant trouble later!</para>
- </footnote>
- </entry>
-
- <entry>NO</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
-
- <screen> User Confirmation Requested
- Do you want to select a default security profile for this host (select
- No for "medium" security)?
-
- [ Yes ] No</screen>
-
- <para>Selecting &gui.no; and pressing
- <keycap>Enter</keycap> will set the security profile to medium.</para>
-
- <para>Selecting &gui.yes; and pressing
- <keycap>Enter</keycap> will allow selecting a different security
- profile.</para>
-
- <figure id="security-profile">
- <title>Security Profile Options</title>
-
- <mediaobject>
- <imageobject>
- <imagedata fileref="install/security" format="PNG">
- </imageobject>
- </mediaobject>
- </figure>
-
- <para>Press <keycap>F1</keycap> to display the help. Press
- <keycap>Enter</keycap> to return to selection menu.</para>
-
- <para>Use the arrow keys to choose <guimenuitem>Medium</guimenuitem>
- unless your are sure that another level is required for your needs.
- With &gui.ok; highlighted, press
- <keycap>Enter</keycap>.</para>
-
- <para>An appropriate confirmation message will display depending on
- which security setting was chosen.</para>
-
- <screen> Message
-
-Moderate security settings have been selected.
-
-Sendmail and SSHd have been enabled, securelevels are
-disabled, and NFS server setting have been left intact.
-PLEASE NOTE that this still does not save you from having
-to properly secure your system in other ways or exercise
-due diligence in your administration, this simply picks
-a standard set of out-of-box defaults to start with.
-
-To change any of these settings later, edit /etc/rc.conf
-
- [OK]</screen>
-
- <screen> Message
-
-Extreme security settings have been selected.
-
-Sendmail, SSHd, and NFS services have been disabled, and
-securelevels have been enabled.
-PLEASE NOTE that this still does not save you from having
-to properly secure your system in other ways or exercise
-due diligence in your administration, this simply picks
-a more secure set of out-of-box defaults to start with.
-
-To change any of these settings later, edit /etc/rc.conf
-
- [OK]</screen>
-
- <para>Press <keycap>Enter</keycap> to continue with the
- post-installation configuration.</para>
-
- <warning>
- <para>The security profile is not a silver bullet! Even if
- you use the extreme setting, you need to keep up with
- security issues by reading an appropriate mailing
- list (<xref linkend="eresources-mail">),
- using good passwords and passphrases, and
- generally adhering to good security practices. It simply
- sets up the desired security to convenience ratio out of the
- box.</para>
- </warning>
-
- </sect2>
-
<sect2 id="console">
<title>System Console Settings</title>
--------------000405050905060004040600--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612091420.kB9EK8eO034993>