Attachment #73469 for bug #106494




      </sect3>
    </sect2>

    <sect2 id="securityprofile">
      <title>Security Profile</title>

      <para>A <quote>security profile</quote> is a set of
	configuration options that attempts to achieve the desired
	ratio of security to convenience by enabling and disabling
	certain programs and other settings.  The more severe the
	security profile, the fewer programs will be enabled by
	default.  This is one of the basic principles of security: do
	not run anything except what you must.</para>

      <para>Please note that the security profile is just a default
	setting.  All programs can be enabled and disabled after you
	have installed FreeBSD by editing or adding the appropriate
	line(s) to <filename>/etc/rc.conf</filename>.  For more
	information, please see the &man.rc.conf.5; manual
	page.</para>

      <para>The following table describes what each of the security
	profiles does.  The columns are the choices you have for a
	security profile, and the rows are the program or feature that
	the profile enables or disables.</para>

      <table>
	<title>Possible Security Profiles</title>

	<tgroup cols=3>
	  <thead>
	    <row>
	      <entry></entry>

	      <entry>Extreme</entry>

	      <entry>Moderate</entry>
	    </row>
	  </thead>

	  <tbody>

	    <row>
	      <entry>&man.sendmail.8;</entry>

	      <entry>NO</entry>

	      <entry>YES</entry>
	    </row>

	    <row>
	      <entry>&man.sshd.8;</entry>

	      <entry>NO</entry>

	      <entry>YES</entry>
	    </row>

	    <row>
	      <entry>&man.portmap.8;</entry>

	      <entry>NO</entry>

	      <entry>MAYBE
		<footnote>
		  <para>The portmapper is enabled if the machine has
		    been configured as an NFS client or server earlier
		    in the installation.</para>
		</footnote>
	      </entry>
	    </row>

	    <row>
	      <entry>NFS server</entry>

	      <entry>NO</entry>

	      <entry>YES</entry>
	    </row>

	    <row>
	      <entry>&man.securelevel.8;</entry>

	      <entry>YES
		<footnote>
		  <para>If you choose a security profile that sets the
		    securelevel to <quote>Extreme</quote> or
		    <quote>High</quote>, you must be aware of the
		    implications.  Please read the &man.init.8;
		    manual page and pay particular attention to the
		    meanings of the security levels, or you may have
		    significant trouble later!</para>
		</footnote>
	      </entry>

	      <entry>NO</entry>
	    </row>
	  </tbody>
	</tgroup>
      </table>

      <screen>                       User Confirmation Requested
 Do you want to select a default security profile for this host (select
 No for "medium" security)? 

                            [ Yes ]    No</screen>

      <para>Selecting &gui.no; and pressing
	<keycap>Enter</keycap> will set the security profile to medium.</para>

      <para>Selecting &gui.yes; and pressing
	<keycap>Enter</keycap> will allow selecting a different security
	profile.</para>

      <figure id="security-profile">
	<title>Security Profile Options</title>

	<mediaobject>
	  <imageobject>
	    <imagedata fileref="install/security" format="PNG">
	  </imageobject>
	</mediaobject>
      </figure>

      <para>Press <keycap>F1</keycap> to display the help.  Press
	<keycap>Enter</keycap> to return to selection menu.</para>

      <para>Use the arrow keys to choose <guimenuitem>Medium</guimenuitem>
	unless your are sure that another level is required for your needs.
	With &gui.ok; highlighted, press
	<keycap>Enter</keycap>.</para>

      <para>An appropriate confirmation message will display depending on
	which security setting was chosen.</para>

      <screen>                                 Message

Moderate security settings have been selected.

Sendmail and SSHd have been enabled, securelevels are
disabled, and NFS server setting have been left intact.
PLEASE NOTE that this still does not save you from having
to properly secure your system in other ways or exercise
due diligence in your administration, this simply picks
a standard set of out-of-box defaults to start with.

To change any of these settings later, edit /etc/rc.conf

                                  [OK]</screen>

      <screen>                                 Message

Extreme security settings have been selected.

Sendmail, SSHd, and NFS services have been disabled, and
securelevels have been enabled.
PLEASE NOTE that this still does not save you from having
to properly secure your system in other ways or exercise
due diligence in your administration, this simply picks
a more secure set of out-of-box defaults to start with.

To change any of these settings later, edit /etc/rc.conf

                                  [OK]</screen>

      <para>Press <keycap>Enter</keycap> to continue with the
	post-installation configuration.</para>

      <warning>
	<para>The security profile is not a silver bullet!  Even if
	  you use the extreme setting, you need to keep up with
	  security issues by reading an appropriate mailing
	  list (<xref linkend="eresources-mail">),
	  using good passwords and passphrases, and
	  generally adhering to good security practices.  It simply
	  sets up the desired security to convenience ratio out of the
	  box.</para>
      </warning>

    </sect2>

    <sect2 id="console">
      <title>System Console Settings</title>


Return to bug 106494

Lines 2650-2833 Link Here

(-)doc/en_US.ISO8859-1/books/handbook/install/chapter.sgml (-178 lines)
2650	</sect3>	2650	</sect3>
2651	</sect2>	2651	</sect2>
2652		2652
2653	<sect2 id="securityprofile">
2654	<title>Security Profile</title>
2655
2656	<para>A <quote>security profile</quote> is a set of
2657	configuration options that attempts to achieve the desired
2658	ratio of security to convenience by enabling and disabling
2659	certain programs and other settings. The more severe the
2660	security profile, the fewer programs will be enabled by
2661	default. This is one of the basic principles of security: do
2662	not run anything except what you must.</para>
2663
2664	<para>Please note that the security profile is just a default
2665	setting. All programs can be enabled and disabled after you
2666	have installed FreeBSD by editing or adding the appropriate
2667	line(s) to <filename>/etc/rc.conf</filename>. For more
2668	information, please see the &man.rc.conf.5; manual
2669	page.</para>
2670
2671	<para>The following table describes what each of the security
2672	profiles does. The columns are the choices you have for a
2673	security profile, and the rows are the program or feature that
2674	the profile enables or disables.</para>
2675
2676	<table>
2677	<title>Possible Security Profiles</title>
2678
2679	<tgroup cols=3>
2680	<thead>
2681	<row>
2682	<entry></entry>
2683
2684	<entry>Extreme</entry>
2685
2686	<entry>Moderate</entry>
2687	</row>
2688	</thead>
2689
2690	<tbody>
2691
2692	<row>
2693	<entry>&man.sendmail.8;</entry>
2694
2695	<entry>NO</entry>
2696
2697	<entry>YES</entry>
2698	</row>
2699
2700	<row>
2701	<entry>&man.sshd.8;</entry>
2702
2703	<entry>NO</entry>
2704
2705	<entry>YES</entry>
2706	</row>
2707
2708	<row>
2709	<entry>&man.portmap.8;</entry>
2710
2711	<entry>NO</entry>
2712
2713	<entry>MAYBE
2714	<footnote>
2715	<para>The portmapper is enabled if the machine has
2716	been configured as an NFS client or server earlier
2717	in the installation.</para>
2718	</footnote>
2719	</entry>
2720	</row>
2721
2722	<row>
2723	<entry>NFS server</entry>
2724
2725	<entry>NO</entry>
2726
2727	<entry>YES</entry>
2728	</row>
2729
2730	<row>
2731	<entry>&man.securelevel.8;</entry>
2732
2733	<entry>YES
2734	<footnote>
2735	<para>If you choose a security profile that sets the
2736	securelevel to <quote>Extreme</quote> or
2737	<quote>High</quote>, you must be aware of the
2738	implications. Please read the &man.init.8;
2739	manual page and pay particular attention to the
2740	meanings of the security levels, or you may have
2741	significant trouble later!</para>
2742	</footnote>
2743	</entry>
2744
2745	<entry>NO</entry>
2746	</row>
2747	</tbody>
2748	</tgroup>
2749	</table>
2750
2751	<screen> User Confirmation Requested
2752	Do you want to select a default security profile for this host (select
2753	No for "medium" security)?
2754
2755	[ Yes ] No</screen>
2756
2757	<para>Selecting &gui.no; and pressing
2758	<keycap>Enter</keycap> will set the security profile to medium.</para>
2759
2760	<para>Selecting &gui.yes; and pressing
2761	<keycap>Enter</keycap> will allow selecting a different security
2762	profile.</para>
2763
2764	<figure id="security-profile">
2765	<title>Security Profile Options</title>
2766
2767	<mediaobject>
2768	<imageobject>
2769	<imagedata fileref="install/security" format="PNG">
2770	</imageobject>
2771	</mediaobject>
2772	</figure>
2773
2774	<para>Press <keycap>F1</keycap> to display the help. Press
2775	<keycap>Enter</keycap> to return to selection menu.</para>
2776
2777	<para>Use the arrow keys to choose <guimenuitem>Medium</guimenuitem>
2778	unless your are sure that another level is required for your needs.
2779	With &gui.ok; highlighted, press
2780	<keycap>Enter</keycap>.</para>
2781
2782	<para>An appropriate confirmation message will display depending on
2783	which security setting was chosen.</para>
2784
2785	<screen> Message
2786
2787	Moderate security settings have been selected.
2788
2789	Sendmail and SSHd have been enabled, securelevels are
2790	disabled, and NFS server setting have been left intact.
2791	PLEASE NOTE that this still does not save you from having
2792	to properly secure your system in other ways or exercise
2793	due diligence in your administration, this simply picks
2794	a standard set of out-of-box defaults to start with.
2795
2796	To change any of these settings later, edit /etc/rc.conf
2797
2798	[OK]</screen>
2799
2800	<screen> Message
2801
2802	Extreme security settings have been selected.
2803
2804	Sendmail, SSHd, and NFS services have been disabled, and
2805	securelevels have been enabled.
2806	PLEASE NOTE that this still does not save you from having
2807	to properly secure your system in other ways or exercise
2808	due diligence in your administration, this simply picks
2809	a more secure set of out-of-box defaults to start with.
2810
2811	To change any of these settings later, edit /etc/rc.conf
2812
2813	[OK]</screen>
2814
2815	<para>Press <keycap>Enter</keycap> to continue with the
2816	post-installation configuration.</para>
2817
2818	<warning>
2819	<para>The security profile is not a silver bullet! Even if
2820	you use the extreme setting, you need to keep up with
2821	security issues by reading an appropriate mailing
2822	list (<xref linkend="eresources-mail">),
2823	using good passwords and passphrases, and
2824	generally adhering to good security practices. It simply
2825	sets up the desired security to convenience ratio out of the
2826	box.</para>
2827	</warning>
2828
2829	</sect2>
2830
2831	<sect2 id="console">	2653	<sect2 id="console">
2832	<title>System Console Settings</title>	2654	<title>System Console Settings</title>
2833		2655