os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

The only place you're supposed to use security profiles is when

Browse source 
installing.  So, why does the install chapter refer to the FAQ for a
description of the security profiles rather than having it in-line?

Descriptions moved to post-install handbook.
This commit is contained in:
Michael Lucas 2002-01-23 09:39:24 +00:00
parent 0d2965eea7
commit bbe81cf2d8
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=11843
1 changed files with 104 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

111
en_US.ISO8859-1/books/handbook/install/chapter.sgml
View file

@ -3193,14 +3193,99 @@ Press [Enter] now to invoke an editor on /etc/exports
<sect2 id="securityprofile">
<title>Security Profile</title>
<para>A security profile is a set of configuration options that
attempts to achieve the desired ratio of security to convenience by
enabling and disabling certain programs and other settings.</para>
<para>A <quote>security profile</quote> is a set of
configuration options that attempts to achieve the desired
ratio of security to convenience by enabling and disabling
certain programs and other settings. The more severe the
security profile, the fewer programs will be enabled by
default. This is one of the basic principles of security: do
not run anything except what you must.</para>
<para>More information about security profiles can be found in the
<ulink
url="../faq/install.html#SECURITY-PROFILES">
FreeBSD FAQ</ulink>.</para>
<para>Please note that the security profile is just a default
setting. All programs can be enabled and disabled after you
have installed FreeBSD by editing or adding the appropriate
line(s) to <filename>/etc/rc.conf</filename>. For more
information, please see the &man.rc.conf.5; manual
page.</para>
<para>The following table describes what each of the security
profiles does. The columns are the choices you have for a
security profile, and the rows are the program or feature that
the profile enables or disables.</para>
<table>
<title>Possible security profiles</title>
<tgroup cols=3>
<thead>
<row>
<entry></entry>
<entry>Extreme</entry>
<entry>Moderate</entry>
</row>
</thead>
<tbody>
<row>
<entry>&man.sendmail.8;</entry>
<entry>NO</entry>
<entry>YES</entry>
</row>
<row>
<entry>&man.sshd.8;</entry>
<entry>NO</entry>
<entry>YES</entry>
</row>
<row>
<entry>&man.portmap.8;</entry>
<entry>NO</entry>
<entry>MAYBE
<footnote>
<para>The portmapper is enabled if the machine has
been configured as an NFS client or server earlier
in the installation.</para>
</footnote>
</entry>
</row>
<row>
<entry>NFS server</entry>
<entry>NO</entry>
<entry>YES</entry>
</row>
<row>
<entry>&man.securelevel.8;</entry>
<entry>YES (2)
<footnote>
<para>If you choose a security profile that sets the
securelevel (Extreme or High), you must be aware
of the implications. Please read the &man.init.8;
manual page and pay particular attention to the
meanings of the security levels, or you may have
significant trouble later!</para>
</footnote>
</entry>
<entry>NO</entry>
</row>
</tbody>
</tgroup>
</table>
<screen> User Confirmation Requested
Do you want to select a default security profile for this host (select
@ -3268,6 +3353,18 @@ To change any of these settings later, edit /etc/rc.conf
<para>Press <keycap>Enter</keycap> to continue with the
post-installation configuration.</para>
<warning>
<para>The security profile is not a silver bullet! Even if
you use the extreme setting, you need to keep up with
security issues by reading an appropriate <ulink
url="../handbook/eresources.html#ERESOURCES-MAIL">mailing
list</ulink>, using good passwords and passphrases, and
generally adhering to good security practices. It simply
sets up the desired security to convenience ratio out of the
box.</para>
</warning>
</sect2>
<sect2 id="console">