|
Lines 2421-2426
Link Here
|
| 2421 |
|
2421 |
|
| 2422 |
</answer> |
2422 |
</answer> |
| 2423 |
</qandaentry> |
2423 |
</qandaentry> |
|
|
2424 |
|
| 2425 |
<qandaentry> |
| 2426 |
<question id="security-profiles"> |
| 2427 |
<para>What are these <quote>security profiles</quote>?</para> |
| 2428 |
</question> |
| 2429 |
|
| 2430 |
<answer> |
| 2431 |
<para>A <quote>security profile</quote> is a set of configuration |
| 2432 |
options that attempts to achieve the desired ratio of security |
| 2433 |
to convenience by enabling and disabling certain programs and |
| 2434 |
other settings. The more severe the security profile, the less |
| 2435 |
programs will be enabled by default; this is one of the basic |
| 2436 |
principles of security: do not run anything except what you |
| 2437 |
must.</para> |
| 2438 |
|
| 2439 |
<para>Please note that the security profile is just a default |
| 2440 |
setting. All programs can be enabled and disabled after you've |
| 2441 |
installed FreeBSD by editing or adding the appropriate line(s) |
| 2442 |
to <filename>/etc/rc.conf</filename>. For more information on |
| 2443 |
the latter, please see the &man.rc.conf.5; manual page.</para> |
| 2444 |
|
| 2445 |
<para>Following is a table that describes what each security |
| 2446 |
profile does. The columns are the choices you have for a |
| 2447 |
security profile, and the rows are the program or feature that |
| 2448 |
is enabled or disabled.</para> |
| 2449 |
|
| 2450 |
<table> |
| 2451 |
<title>Possible security profiles</title> |
| 2452 |
|
| 2453 |
<tgroup cols=5> |
| 2454 |
<thead> |
| 2455 |
<row> |
| 2456 |
<entry></entry> |
| 2457 |
|
| 2458 |
<entry>Extreme</entry> |
| 2459 |
|
| 2460 |
<entry>High</entry> |
| 2461 |
|
| 2462 |
<entry>Moderate</entry> |
| 2463 |
|
| 2464 |
<entry>Low</entry> |
| 2465 |
</row> |
| 2466 |
</thead> |
| 2467 |
|
| 2468 |
<tbody> |
| 2469 |
<row> |
| 2470 |
<entry>&man.inetd.8;</entry> |
| 2471 |
|
| 2472 |
<entry>NO</entry> |
| 2473 |
|
| 2474 |
<entry>NO</entry> |
| 2475 |
|
| 2476 |
<entry>YES</entry> |
| 2477 |
|
| 2478 |
<entry>YES</entry> |
| 2479 |
</row> |
| 2480 |
|
| 2481 |
<row> |
| 2482 |
<entry>&man.sendmail.8;</entry> |
| 2483 |
|
| 2484 |
<entry>NO</entry> |
| 2485 |
|
| 2486 |
<entry>YES</entry> |
| 2487 |
|
| 2488 |
<entry>YES</entry> |
| 2489 |
|
| 2490 |
<entry>YES</entry> |
| 2491 |
</row> |
| 2492 |
|
| 2493 |
<row> |
| 2494 |
<entry>&man.sshd.8;</entry> |
| 2495 |
|
| 2496 |
<entry>NO</entry> |
| 2497 |
|
| 2498 |
<entry>YES</entry> |
| 2499 |
|
| 2500 |
<entry>YES</entry> |
| 2501 |
|
| 2502 |
<entry>YES</entry> |
| 2503 |
</row> |
| 2504 |
|
| 2505 |
<row> |
| 2506 |
<entry>&man.portmap.8;</entry> |
| 2507 |
|
| 2508 |
<entry>NO</entry> |
| 2509 |
|
| 2510 |
<entry>NO</entry> |
| 2511 |
|
| 2512 |
<entry>[1]</entry> |
| 2513 |
|
| 2514 |
<entry>YES</entry> |
| 2515 |
</row> |
| 2516 |
|
| 2517 |
<row> |
| 2518 |
<entry>NFS server</entry> |
| 2519 |
|
| 2520 |
<entry>NO</entry> |
| 2521 |
|
| 2522 |
<entry>NO</entry> |
| 2523 |
|
| 2524 |
<entry>YES</entry> |
| 2525 |
|
| 2526 |
<entry>YES</entry> |
| 2527 |
</row> |
| 2528 |
|
| 2529 |
<row> |
| 2530 |
<entry>man.securelevel.XXX</entry> |
| 2531 |
|
| 2532 |
<entry>YES (2) [2]</entry> |
| 2533 |
|
| 2534 |
<entry>YES (1) [2]</entry> |
| 2535 |
|
| 2536 |
<entry>NO</entry> |
| 2537 |
|
| 2538 |
<entry>NO</entry> |
| 2539 |
</row> |
| 2540 |
</tbody> |
| 2541 |
</tgroup> |
| 2542 |
</table> |
| 2543 |
|
| 2544 |
<para>Notes:</para> |
| 2545 |
|
| 2546 |
<para> |
| 2547 |
<orderedlist> |
| 2548 |
<listitem> |
| 2549 |
<para>The portmapper is enabled if the machine has been |
| 2550 |
configured as an NFS client or server earlier in the |
| 2551 |
installation.</para> |
| 2552 |
</listitem> |
| 2553 |
|
| 2554 |
<listitem> |
| 2555 |
<para>If you choose a security profile that sets the |
| 2556 |
securelevel (Extreme or High), you must be aware of the |
| 2557 |
implications. Please read the &man.init.8; manual page |
| 2558 |
and pay particular attention to the meanings of the |
| 2559 |
security levels, or you may have significant trouble |
| 2560 |
later!</para> |
| 2561 |
</listitem> |
| 2562 |
</orderedlist> |
| 2563 |
</para> |
| 2564 |
|
| 2565 |
<para> |
| 2566 |
<warning> |
| 2567 |
<para>The security profile is not a silver bullet! Setting |
| 2568 |
it high does not mean you do have to keep up with security |
| 2569 |
issues by reading an appropriate <ulink |
| 2570 |
url="../handbook/eresources.html#ERESOURCES-MAIL">mailing |
| 2571 |
list</ulink>, using good passwords and passphrases, and |
| 2572 |
generally adhering to good security practices. It simply |
| 2573 |
sets up the desired security to convenience ration out of |
| 2574 |
the box.</para> |
| 2575 |
</warning> |
| 2576 |
|
| 2577 |
<note> |
| 2578 |
<para>The security profile mechanism is meant to be used |
| 2579 |
when you first install FreeBSD. If you already have |
| 2580 |
FreeBSD installed, it would probably be more beneficial to |
| 2581 |
simply enable or disable the desired functionality. If |
| 2582 |
you really want to use a security profile, you can re-run |
| 2583 |
&man.sysinstall.8; to set it.</para> |
| 2584 |
</note> |
| 2585 |
</para> |
| 2586 |
</answer> |
| 2587 |
</qandaentry> |
| 2424 |
</qandaset> |
2588 |
</qandaset> |
| 2425 |
</chapter> |
2589 |
</chapter> |