Lines 2421-2426
Link Here
|
2421 |
|
2421 |
|
2422 |
</answer> |
2422 |
</answer> |
2423 |
</qandaentry> |
2423 |
</qandaentry> |
|
|
2424 |
|
2425 |
<qandaentry> |
2426 |
<question id="security-profiles"> |
2427 |
<para>What are these <quote>security profiles</quote>?</para> |
2428 |
</question> |
2429 |
|
2430 |
<answer> |
2431 |
<para>A <quote>security profile</quote> is a set of configuration |
2432 |
options that attempts to achieve the desired ratio of security |
2433 |
to convenience by enabling and disabling certain programs and |
2434 |
other settings. The more severe the security profile, the less |
2435 |
programs will be enabled by default; this is one of the basic |
2436 |
principles of security: do not run anything except what you |
2437 |
must.</para> |
2438 |
|
2439 |
<para>Please note that the security profile is just a default |
2440 |
setting. All programs can be enabled and disabled after you've |
2441 |
installed FreeBSD by editing or adding the appropriate line(s) |
2442 |
to <filename>/etc/rc.conf</filename>. For more information on |
2443 |
the latter, please see the &man.rc.conf.5; manual page.</para> |
2444 |
|
2445 |
<para>Following is a table that describes what each security |
2446 |
profile does. The columns are the choices you have for a |
2447 |
security profile, and the rows are the program or feature that |
2448 |
is enabled or disabled.</para> |
2449 |
|
2450 |
<table> |
2451 |
<title>Possible security profiles</title> |
2452 |
|
2453 |
<tgroup cols=5> |
2454 |
<thead> |
2455 |
<row> |
2456 |
<entry></entry> |
2457 |
|
2458 |
<entry>Extreme</entry> |
2459 |
|
2460 |
<entry>High</entry> |
2461 |
|
2462 |
<entry>Moderate</entry> |
2463 |
|
2464 |
<entry>Low</entry> |
2465 |
</row> |
2466 |
</thead> |
2467 |
|
2468 |
<tbody> |
2469 |
<row> |
2470 |
<entry>&man.inetd.8;</entry> |
2471 |
|
2472 |
<entry>NO</entry> |
2473 |
|
2474 |
<entry>NO</entry> |
2475 |
|
2476 |
<entry>YES</entry> |
2477 |
|
2478 |
<entry>YES</entry> |
2479 |
</row> |
2480 |
|
2481 |
<row> |
2482 |
<entry>&man.sendmail.8;</entry> |
2483 |
|
2484 |
<entry>NO</entry> |
2485 |
|
2486 |
<entry>YES</entry> |
2487 |
|
2488 |
<entry>YES</entry> |
2489 |
|
2490 |
<entry>YES</entry> |
2491 |
</row> |
2492 |
|
2493 |
<row> |
2494 |
<entry>&man.sshd.8;</entry> |
2495 |
|
2496 |
<entry>NO</entry> |
2497 |
|
2498 |
<entry>YES</entry> |
2499 |
|
2500 |
<entry>YES</entry> |
2501 |
|
2502 |
<entry>YES</entry> |
2503 |
</row> |
2504 |
|
2505 |
<row> |
2506 |
<entry>&man.portmap.8;</entry> |
2507 |
|
2508 |
<entry>NO</entry> |
2509 |
|
2510 |
<entry>NO</entry> |
2511 |
|
2512 |
<entry>[1]</entry> |
2513 |
|
2514 |
<entry>YES</entry> |
2515 |
</row> |
2516 |
|
2517 |
<row> |
2518 |
<entry>NFS server</entry> |
2519 |
|
2520 |
<entry>NO</entry> |
2521 |
|
2522 |
<entry>NO</entry> |
2523 |
|
2524 |
<entry>YES</entry> |
2525 |
|
2526 |
<entry>YES</entry> |
2527 |
</row> |
2528 |
|
2529 |
<row> |
2530 |
<entry>man.securelevel.XXX</entry> |
2531 |
|
2532 |
<entry>YES (2) [2]</entry> |
2533 |
|
2534 |
<entry>YES (1) [2]</entry> |
2535 |
|
2536 |
<entry>NO</entry> |
2537 |
|
2538 |
<entry>NO</entry> |
2539 |
</row> |
2540 |
</tbody> |
2541 |
</tgroup> |
2542 |
</table> |
2543 |
|
2544 |
<para>Notes:</para> |
2545 |
|
2546 |
<para> |
2547 |
<orderedlist> |
2548 |
<listitem> |
2549 |
<para>The portmapper is enabled if the machine has been |
2550 |
configured as an NFS client or server earlier in the |
2551 |
installation.</para> |
2552 |
</listitem> |
2553 |
|
2554 |
<listitem> |
2555 |
<para>If you choose a security profile that sets the |
2556 |
securelevel (Extreme or High), you must be aware of the |
2557 |
implications. Please read the &man.init.8; manual page |
2558 |
and pay particular attention to the meanings of the |
2559 |
security levels, or you may have significant trouble |
2560 |
later!</para> |
2561 |
</listitem> |
2562 |
</orderedlist> |
2563 |
</para> |
2564 |
|
2565 |
<para> |
2566 |
<warning> |
2567 |
<para>The security profile is not a silver bullet! Setting |
2568 |
it high does not mean you do have to keep up with security |
2569 |
issues by reading an appropriate <ulink |
2570 |
url="../handbook/eresources.html#ERESOURCES-MAIL">mailing |
2571 |
list</ulink>, using good passwords and passphrases, and |
2572 |
generally adhering to good security practices. It simply |
2573 |
sets up the desired security to convenience ration out of |
2574 |
the box.</para> |
2575 |
</warning> |
2576 |
|
2577 |
<note> |
2578 |
<para>The security profile mechanism is meant to be used |
2579 |
when you first install FreeBSD. If you already have |
2580 |
FreeBSD installed, it would probably be more beneficial to |
2581 |
simply enable or disable the desired functionality. If |
2582 |
you really want to use a security profile, you can re-run |
2583 |
&man.sysinstall.8; to set it.</para> |
2584 |
</note> |
2585 |
</para> |
2586 |
</answer> |
2587 |
</qandaentry> |
2424 |
</qandaset> |
2588 |
</qandaset> |
2425 |
</chapter> |
2589 |
</chapter> |