Add new section for configuring internet services (inetd).

Update security section to reflect options in 4.4

Approved by:	murray

en_US.ISO8859-1/books/handbook/Makefile

@@ -1,5 +1,5 @@
 # 
-# $FreeBSD: doc/en_US.ISO8859-1/books/handbook/Makefile,v 1.44 2001/08/16 05:19:51 dd Exp $
+# $FreeBSD: doc/en_US.ISO8859-1/books/handbook/Makefile,v 1.45 2001/08/21 23:38:28 nik Exp $
 #
 # Build the FreeBSD Handbook.
 #
@@ -85,6 +85,7 @@ IMAGES+= install/adduser2.scr
 IMAGES+= install/adduser3.scr
 IMAGES+= install/mainexit.scr
 IMAGES+= install/disk-layout.eps
+IMAGES+= install/edit-inetd-conf.scr
 
 # 
 # SRCS lists the individual SGML files that make up the document. Changes

en_US.ISO8859-1/books/handbook/install/chapter.sgml

@@ -1,7 +1,7 @@
 <!--
      The FreeBSD Documentation Project
 
-     $FreeBSD: doc/en_US.ISO8859-1/books/handbook/install/chapter.sgml,v 1.95 2001/08/21 23:42:44 nik Exp $
+     $FreeBSD: doc/en_US.ISO8859-1/books/handbook/install/chapter.sgml,v 1.96 2001/08/22 18:12:57 chern Exp $
 -->
 
 <chapter id="install">
@@ -2422,6 +2422,74 @@ installation menus to try and retry whichever operations have failed.
 	leaving the installation.</para>
     </sect2>
 
+    <sect2 id="inetd-services">
+      <title>Configure Internet Services</title>
+
+      <screen>                      User Confirmation Requested
+Do you want to configure inetd and simple internet services?
+
+                               Yes   [ No ]</screen>
+
+      <para>If <guibutton>[ No ]</guibutton> is selected, various services
+	such <application>telnetd</application> will not be enabled.  This
+	means that remote users will not be able to
+	<application>telnet</application> into this machine.  Local users
+	will be still be able to access remote machines with
+	<application>telnet</application>.</para>
+
+      <para>These services can be enabled after installation by editing
+	<filename>/etc/inetd.conf</filename> with your favorite text editor.
+	See <xref linkend="inetd-overview"> for more information.</para>
+
+      <para>Select <guibutton>[ Yes ]</guibutton> if you wish to
+	configure these services during install.  An additional
+	confirmation will display.</para>
+
+      <screen>                      User Confirmation Requested
+The Internet Super Server (inetd) allows a number of simple Internet
+services to be enabled, including finger, ftp and telnetd.  Enabling
+these services may increase risk of security problems by increasing
+the exposure of your system.
+
+With this in mind, do you wish to enable inetd?
+
+                             [ Yes ]   No</screen>
+
+      <para>Select <guibutton>[ Yes ]</guibutton> to continue.</para>
+
+      <screen>                      User Confirmation Requested
+inetd(8) relies on its configuration file, /etc/inetd.conf, to determine
+which of its Internet services will be available.  The default FreeBSD
+inetd.conf(5) leaves all services disabled by default, so they must be
+specifically enabled in the configuration file before they will
+function, even once inetd(8) is enabled.  Note that services for
+IPv6 must be seperately enabled from IPv4 services.
+
+Select [Yes] now to invoke an editor on /etc/inetd.conf, or [No] to
+use the current settings.
+
+                             [ Yes ]   No</screen>
+
+      <para>Selecting <guibutton>[ Yes ]</guibutton> will allow adding
+	services by deleting the <literal>#</literal> at the beginning
+	of a line.</para>
+
+      <figure id="inetd-edit">
+	<title>Editing <filename>inetd.conf</filename></title>
+
+	<mediaobject>
+	  <imageobject>
+	    <imagedata fileref="install/edit-inetd-conf" format="PNG">
+	  </imageobject>
+	</mediaobject>
+      </figure>
+
+      <para>After adding the desired services, pressing <keycap>ESC</keycap>
+	will display a menu which will allow exiting and saving 
+	the changes.</para>
+
+    </sect2>
+
     <sect2 id="gateway">
       <title>Configure Gateway</title>
 
@@ -2603,14 +2671,9 @@ Press [Enter] now to invoke an editor on /etc/exports
     <sect2 id="securityprofile">
       <title>Security Profile</title>
 
-      <para>A "security profile" is a set of configuration options that
+      <para>A security profile is a set of configuration options that
 	attempts to achieve the desired ratio of security to convenience by
-	enabling and disabling certain programs and other settings.  Refer
-	to the <ulink url="http://www.freebsd.org/doc/en_US.ISO_8859-1/books/faq/install.html#SECURITY-PROFILES">FAQ</ulink> for more information.</para>
-
-      <para>Selecting [No] and pressing <keycap>Enter</keycap> will set the
-	security profile to "medium" (recommended for new users) and continue
-	the installation.</para>
+	enabling and disabling certain programs and other settings.</para>
 
       <screen>                       User Confirmation Requested
  Do you want to select a default security profile for this host (select
@@ -2618,8 +2681,12 @@ Press [Enter] now to invoke an editor on /etc/exports
 
                             [ Yes ]    No</screen>
 
-      <para>Selecting [Yes] and pressing <keycap>Enter</keycap> will allow
-	selecting a different security profile.</para>
+      <para>Selecting <guibutton>[ No ]</guibutton> and pressing
+	<keycap>Enter</keycap> will set the security profile to medium.</para>
+
+      <para>Selecting <guibutton>[ Yes ]</guibutton> and pressing
+	<keycap>Enter</keycap> will allow selecting a different security
+	profile.</para>
 
       <figure id="security-profile">
 	<title>Security Profile Options</title>
@@ -2634,24 +2701,43 @@ Press [Enter] now to invoke an editor on /etc/exports
       <para>Press <keycap>F1</keycap> to display the help.  Press
 	<keycap>Enter</keycap> to return to selection menu.</para>
 
-      <para>Use the arrow keys to choose the medium level [DEFAULT] unless
-	your are sure that another level is required for your needs.  With
-	[OK] highlighted, press <keycap>Enter</keycap>.</para>
+      <para>Use the arrow keys to choose <guimenuitem>Medium</guimenuitem>
+	unless your are sure that another level is required for your needs.
+	With <guibutton>[ OK ]</guibutton> highlighted, press
+	<keycap>Enter</keycap>.</para>
+
+      <para>An appropriate confirmation message will display depending on
+	which security setting was chosen.</para>
 
       <screen>                                 Message
- Moderate security settings have been selected. 
 
- This means that most "popular" network services and mechanisms like
- inetd(8) have been enabled by default for a comfortable user
- experience but with possible trade-offs in system security.  If this
- bothers you and you know exactly what your are doing, select the high
- high security profile instead. 
+Moderate security settings have been selected.
 
- To change any of these settings later, edit /etc/rc.conf. 
+Sendmail and SSHd have been enabled, securelevels are
+disabled, and NFS server setting have been left intact.
+PLEASE NOTE that this still does not save you from having
+to properly secure your system in other ways or exercise
+due diligence in your administration, this simply picks
+a standard set of out-of-box defaults to start with.
 
-                                 [ OK ] 
+To change any of these settings later, edit /etc/rc.conf
 
-                      [ Press enter to continue ]</screen>
+                                  [OK]</screen>
+
+      <screen>                                 Message
+
+Extreme security settings have been selected.
+
+Sendmail, SSHd, and NFS services have been disabled, and
+securelevels have been enabled.
+PLEASE NOTE that this still does not save you from having
+to properly secure your system in other ways or exercise
+due diligence in your administration, this simply picks
+a more secure set of out-of-box defaults to start with.
+
+To change any of these settings later, edit /etc/rc.conf
+
+                                  [OK]</screen>
 
       <para>Press <keycap>Enter</keycap> to continue with the
 	post-installation configuration.</para>

en_US.ISO8859-1/books/handbook/install/edit-inetd-conf.scr

@@ -0,0 +1 @@
+SCRSHOT_
P^[ (escape) menu ^y search prompt ^k delete line    ^p prev line  ^g prev page  ^o ascii code    ^x search        ^l undelete line  ^n next line  ^v next page  ^u end of file   ^a begin of line ^w delete word    ^b back char  ^z next word  ^t begin of file ^e end of line   ^r restore word   ^f forward char             ^c command       ^d delete char   ^j undelete char              ESC-Enter: exit Lp:p p1p pCp:p p1p p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p=p # $FreeBSD: src/etc/inetd.conf,v 1.44.2.5 2001/08/04 16:06:44 rwatson Exp $     #                                                                               # Internet server configuration database                                        #                                                                               # Define *both* IPv4 and IPv6 entries for dual-stack support.                   # To disable a service, comment it out by prefixing the line with '#'.          # To enable a service, remove the '#' at the beginning of the line.             #                                                                               #ftp    stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l         #ftp    stream  tcp6    nowait  root    /usr/libexec/ftpd       ftpd -l         #telnet stream  tcp     nowait  root    /usr/libexec/telnetd    telnetd         #telnet stream  tcp6    nowait  root    /usr/libexec/telnetd    telnetd         #shell  stream  tcp     nowait  root    /usr/libexec/rshd       rshd            #shell  stream  tcp6    nowait  root    /usr/libexec/rshd       rshd            #login  stream  tcp     nowait  root    /usr/libexec/rlogind    rlogind         #login  stream  tcp6    nowait  root    /usr/libexec/rlogind    rlogind         #finger stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -s      #finger stream  tcp6    nowait/3/10 nobody /usr/libexec/fingerd fingerd -s