From owner-freebsd-doc@FreeBSD.ORG Sat Dec 9 14:20:16 2006 Return-Path: X-Original-To: freebsd-doc@hub.freebsd.org Delivered-To: freebsd-doc@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3A34A16A415 for ; Sat, 9 Dec 2006 14:20:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2666143CA0 for ; Sat, 9 Dec 2006 14:19:04 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB9EK8tC035000 for ; Sat, 9 Dec 2006 14:20:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB9EK8eO034993; Sat, 9 Dec 2006 14:20:08 GMT (envelope-from gnats) Date: Sat, 9 Dec 2006 14:20:08 GMT Message-Id: <200612091420.kB9EK8eO034993@freefall.freebsd.org> To: freebsd-doc@FreeBSD.org From: Niclas Zeising Cc: Subject: Re: docs/106494: [patch] add a note regarding the status of the "security profile" setting in sysinstall X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Niclas Zeising List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Dec 2006 14:20:16 -0000 The following reply was made to PR docs/106494; it has been noted by GNATS. From: Niclas Zeising To: "Simon L. Nielsen" Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: docs/106494: [patch] add a note regarding the status of the "security profile" setting in sysinstall Date: Sat, 09 Dec 2006 15:09:51 +0100 This is a multi-part message in MIME format. --------------000405050905060004040600 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Simon L. Nielsen wrote: > On 2006.12.08 20:07:05 +0000, Niclas Zeising wrote: > >> The security profile option in sysinstall which used to pop up >> during install is no more. Update docs accordingly, adding a note >> saying that the option is gone. >> >> Maybe we can delete the whole section, the option has been gone since 5.2 > > I think it would be better to delete it - the handbook doesn't > document that old releases. I thought so, wasn't 100% sure so i added the note instead. Attached is a patch that removes the section entirely instead. > >> Note: The whole install chapter probably needs a facelift. > > That sounds likely. > It will take some thinking through, and new screen shots i think. But we need a decent install chapter, so people know how to install FreeBSD. Regards! //Niclas --------------000405050905060004040600 Content-Type: text/plain; name="install.chapter.sgml.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="install.chapter.sgml.diff" --- doc/en_US.ISO8859-1/books/handbook/install/chapter.sgml.orig 2006-12-08 19:46:36.000000000 +0100 +++ doc/en_US.ISO8859-1/books/handbook/install/chapter.sgml 2006-12-09 15:04:18.000000000 +0100 @@ -2650,184 +2650,6 @@ - - Security Profile - - A security profile is a set of - configuration options that attempts to achieve the desired - ratio of security to convenience by enabling and disabling - certain programs and other settings. The more severe the - security profile, the fewer programs will be enabled by - default. This is one of the basic principles of security: do - not run anything except what you must. - - Please note that the security profile is just a default - setting. All programs can be enabled and disabled after you - have installed FreeBSD by editing or adding the appropriate - line(s) to /etc/rc.conf. For more - information, please see the &man.rc.conf.5; manual - page. - - The following table describes what each of the security - profiles does. The columns are the choices you have for a - security profile, and the rows are the program or feature that - the profile enables or disables. - - - Possible Security Profiles - - - - - - - Extreme - - Moderate - - - - - - - &man.sendmail.8; - - NO - - YES - - - - &man.sshd.8; - - NO - - YES - - - - &man.portmap.8; - - NO - - MAYBE - - The portmapper is enabled if the machine has - been configured as an NFS client or server earlier - in the installation. - - - - - - NFS server - - NO - - YES - - - - &man.securelevel.8; - - YES - - If you choose a security profile that sets the - securelevel to Extreme or - High, you must be aware of the - implications. Please read the &man.init.8; - manual page and pay particular attention to the - meanings of the security levels, or you may have - significant trouble later! - - - - NO - - - -
- - User Confirmation Requested - Do you want to select a default security profile for this host (select - No for "medium" security)? - - [ Yes ] No - - Selecting &gui.no; and pressing - Enter will set the security profile to medium. - - Selecting &gui.yes; and pressing - Enter will allow selecting a different security - profile. - -
- Security Profile Options - - - - - - -
- - Press F1 to display the help. Press - Enter to return to selection menu. - - Use the arrow keys to choose Medium - unless your are sure that another level is required for your needs. - With &gui.ok; highlighted, press - Enter. - - An appropriate confirmation message will display depending on - which security setting was chosen. - - Message - -Moderate security settings have been selected. - -Sendmail and SSHd have been enabled, securelevels are -disabled, and NFS server setting have been left intact. -PLEASE NOTE that this still does not save you from having -to properly secure your system in other ways or exercise -due diligence in your administration, this simply picks -a standard set of out-of-box defaults to start with. - -To change any of these settings later, edit /etc/rc.conf - - [OK] - - Message - -Extreme security settings have been selected. - -Sendmail, SSHd, and NFS services have been disabled, and -securelevels have been enabled. -PLEASE NOTE that this still does not save you from having -to properly secure your system in other ways or exercise -due diligence in your administration, this simply picks -a more secure set of out-of-box defaults to start with. - -To change any of these settings later, edit /etc/rc.conf - - [OK] - - Press Enter to continue with the - post-installation configuration. - - - The security profile is not a silver bullet! Even if - you use the extreme setting, you need to keep up with - security issues by reading an appropriate mailing - list (), - using good passwords and passphrases, and - generally adhering to good security practices. It simply - sets up the desired security to convenience ratio out of the - box. - - - - System Console Settings --------------000405050905060004040600--