FreeBSD Bugzilla – Attachment 13450 Details for
Bug 25599
[PATCH] New FAQ entry: describe sysinstall security profiles
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 5.63 KB, created by
dima
on 2001-03-08 03:10:02 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
dima
Created:
2001-03-08 03:10:02 UTC
Size:
5.63 KB
patch
obsolete
>Index: book.sgml >=================================================================== >RCS file: /st/src/FreeBSD/doc/en_US.ISO_8859-1/books/faq/book.sgml,v >retrieving revision 1.147 >diff -u -r1.147 book.sgml >--- book.sgml 2001/02/28 22:47:51 1.147 >+++ book.sgml 2001/03/08 03:00:41 >@@ -2421,6 +2421,170 @@ > > </answer> > </qandaentry> >+ >+ <qandaentry> >+ <question id="security-profiles"> >+ <para>What are these <quote>security profiles</quote>?</para> >+ </question> >+ >+ <answer> >+ <para>A <quote>security profile</quote> is a set of configuration >+ options that attempts to achieve the desired ratio of security >+ to convenience by enabling and disabling certain programs and >+ other settings. The more severe the security profile, the less >+ programs will be enabled by default; this is one of the basic >+ principles of security: do not run anything except what you >+ must.</para> >+ >+ <para>Please note that the security profile is just a default >+ setting. All programs can be enabled and disabled after you've >+ installed FreeBSD by editing or adding the appropriate line(s) >+ to <filename>/etc/rc.conf</filename>. For more information on >+ the latter, please see the &man.rc.conf.5; manual page.</para> >+ >+ <para>Following is a table that describes what each security >+ profile does. The columns are the choices you have for a >+ security profile, and the rows are the program or feature that >+ is enabled or disabled.</para> >+ >+ <table> >+ <title>Possible security profiles</title> >+ >+ <tgroup cols=5> >+ <thead> >+ <row> >+ <entry></entry> >+ >+ <entry>Extreme</entry> >+ >+ <entry>High</entry> >+ >+ <entry>Moderate</entry> >+ >+ <entry>Low</entry> >+ </row> >+ </thead> >+ >+ <tbody> >+ <row> >+ <entry>&man.inetd.8;</entry> >+ >+ <entry>NO</entry> >+ >+ <entry>NO</entry> >+ >+ <entry>YES</entry> >+ >+ <entry>YES</entry> >+ </row> >+ >+ <row> >+ <entry>&man.sendmail.8;</entry> >+ >+ <entry>NO</entry> >+ >+ <entry>YES</entry> >+ >+ <entry>YES</entry> >+ >+ <entry>YES</entry> >+ </row> >+ >+ <row> >+ <entry>&man.sshd.8;</entry> >+ >+ <entry>NO</entry> >+ >+ <entry>YES</entry> >+ >+ <entry>YES</entry> >+ >+ <entry>YES</entry> >+ </row> >+ >+ <row> >+ <entry>&man.portmap.8;</entry> >+ >+ <entry>NO</entry> >+ >+ <entry>NO</entry> >+ >+ <entry>[1]</entry> >+ >+ <entry>YES</entry> >+ </row> >+ >+ <row> >+ <entry>NFS server</entry> >+ >+ <entry>NO</entry> >+ >+ <entry>NO</entry> >+ >+ <entry>YES</entry> >+ >+ <entry>YES</entry> >+ </row> >+ >+ <row> >+ <entry>man.securelevel.XXX</entry> >+ >+ <entry>YES (2) [2]</entry> >+ >+ <entry>YES (1) [2]</entry> >+ >+ <entry>NO</entry> >+ >+ <entry>NO</entry> >+ </row> >+ </tbody> >+ </tgroup> >+ </table> >+ >+ <para>Notes:</para> >+ >+ <para> >+ <orderedlist> >+ <listitem> >+ <para>The portmapper is enabled if the machine has been >+ configured as an NFS client or server earlier in the >+ installation.</para> >+ </listitem> >+ >+ <listitem> >+ <para>If you choose a security profile that sets the >+ securelevel (Extreme or High), you must be aware of the >+ implications. Please read the &man.init.8; manual page >+ and pay particular attention to the meanings of the >+ security levels, or you may have significant trouble >+ later!</para> >+ </listitem> >+ </orderedlist> >+ </para> >+ >+ <para> >+ <warning> >+ <para>The security profile is not a silver bullet! Setting >+ it high does not mean you do have to keep up with security >+ issues by reading an appropriate <ulink >+ url="../handbook/eresources.html#ERESOURCES-MAIL">mailing >+ list</ulink>, using good passwords and passphrases, and >+ generally adhering to good security practices. It simply >+ sets up the desired security to convenience ration out of >+ the box.</para> >+ </warning> >+ >+ <note> >+ <para>The security profile mechanism is meant to be used >+ when you first install FreeBSD. If you already have >+ FreeBSD installed, it would probably be more beneficial to >+ simply enable or disable the desired functionality. If >+ you really want to use a security profile, you can re-run >+ &man.sysinstall.8; to set it.</para> >+ </note> >+ </para> >+ </answer> >+ </qandaentry> > </qandaset> > </chapter>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13450">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 25599
: 13450