From owner-freebsd-stable Wed Mar 7 3:27:22 2001 Delivered-To: freebsd-stable@freebsd.org Received: from www.golsyd.net.au (golsyd.net.au [203.57.20.1]) by hub.freebsd.org (Postfix) with ESMTP id 6194D37B71B for ; Wed, 7 Mar 2001 03:27:18 -0800 (PST) (envelope-from kaltorak@quake.com.au) Received: from [203.164.12.28] by www.quake.com.au (NTMail 4.30.0012/AB6169.63.5724aadf) with ESMTP id ctmaaaaa for ; Wed, 7 Mar 2001 22:26:38 +1100 Message-ID: <3AA61B96.D9C91B5E@quake.com.au> Date: Wed, 07 Mar 2001 22:29:26 +1100 From: Kal Torak X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 Cc: FreeBSD-stable Subject: Re: Security Level in Sysinstall References: <3AA61689.D6E5CEF3@quake.com.au> <20010307031052.A38464@mollari.cthul.hu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Kris Kennaway wrote: > > Check the -security archives for about 3 or 4 weeks ago -- someone > posted a big list of all of the things which the security setting in > sysinstall does, which will hopefully make its way into the Official > Documentation at some point. Thanks, just incase anyone else was wondering and couldnt find / be botherd searching the security archives I will post what the levels do here... Since it is something that was only added in 4.2 Im sure plenty of people will wonder what it all dose! Extreme ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="NO" portmap_enable="NO" sendmail_enable="NO" sshd_enable="NO" nfs_server_enable="NO" kern_securelevel_enable="YES" kern_securelevel="2" At this level the following services are disabled: inetd portmap sendmail sshd NFS The kernel securelevels are enabled and raised to level 2 --------------------------------------------------------- High ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="NO" sendmail_enable="YES" sshd_enable="YES" portmap_enable="NO" nfs_server_enable="NO" kern_securelevel_enable="YES" kern_securelevel="1" At this level the following services are disabled: inetd portmap NFS Kernel securelevel is enabled and raised to level 1 --------------------------------------------------------- Medium ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="YES" sendmail_enable="YES" sshd_enable="YES" If the machine has been setup as a NFS client or server: portmap_enable="YES" If the machine has not been setup as a NFS server: nfs_reserved_port_only="YES" At this level the following services are enabled: inetd sendmail sshd Depending on whether the machine is setup as a NFS client or server: Client: portmap Server: portmap and NFS is only provided on a secure port Kernel securelevel is not enabled --------------------------------------------------------- Low ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="YES" sendmail_enable="YES" portmap_enable="YES" sshd_enable="YES" At this level the following services are enabled: inetd sendmail portmap sshd Kernel securelevel is not enabled --------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message