Date: Wed, 14 Feb 2001 13:39:30 -0500 (EST) From: Rob Simmons <rsimmons@wlcg.com> To: Kris Kennaway <kris@obsecurity.org> Cc: Ragnar Beer <rbeer@uni-goettingen.de>, freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation Message-ID: <Pine.BSF.4.21.0102141338370.15577-100000@mail.wlcg.com> In-Reply-To: <20010214092909.B72301@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
Default System Security Profile Extreme ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="NO" portmap_enable="NO" sendmail_enable="NO" sshd_enable="NO" nfs_server_enable="NO" kern_securelevel_enable="YES" kern_securelevel="2" At this level the following services are disabled: inetd portmap sendmail sshd NFS The kernel securelevels are enabled and raised to level 2 --------------------------------------------------------- High ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="NO" sendmail_enable="YES" sshd_enable="YES" portmap_enable="NO" nfs_server_enable="NO" kern_securelevel_enable="YES" kern_securelevel="1" At this level the following services are disabled: inetd portmap NFS Kernel securelevel is enabled and raised to level 1 --------------------------------------------------------- Medium ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="YES" sendmail_enable="YES" sshd_enable="YES" If the machine has been setup as a NFS client or server: portmap_enable="YES" If the machine has not been setup as a NFS server: nfs_reserved_port_only="YES" At this level the following services are enabled: inetd sendmail sshd Depending on whether the machine is setup as a NFS client or server: Client: portmap Server: portmap and NFS is only provided on a secure port Kernel securelevel is not enabled --------------------------------------------------------- Low ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="YES" sendmail_enable="YES" portmap_enable="YES" sshd_enable="YES" At this level the following services are enabled: inetd sendmail portmap sshd Kernel securelevel is not enabled --------------------------------------------------------- Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 14 Feb 2001, Kris Kennaway wrote: > On Wed, Feb 14, 2001 at 12:10:04PM -0500, Rob Simmons wrote: > > Read the man page for init(8) > > No, that's not it - he's talking about the "low/medium/high" settings > in sysinstall. I don't think a good documentation source really > exists at the moment - you should check the code in > /usr/src/releases/sysinstall/config.c and look at the rc.conf > variables it sets. > > Then write up some documentation for us and send it to doc@freebsd.org > :-) > > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0102141338370.15577-100000>