From bbe81cf2d846ef5ffba141f209b775479ef73c6d Mon Sep 17 00:00:00 2001 From: Michael Lucas Date: Wed, 23 Jan 2002 09:39:24 +0000 Subject: [PATCH] The only place you're supposed to use security profiles is when installing. So, why does the install chapter refer to the FAQ for a description of the security profiles rather than having it in-line? Descriptions moved to post-install handbook. --- .../books/handbook/install/chapter.sgml | 111 ++++++++++++++++-- 1 file changed, 104 insertions(+), 7 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/install/chapter.sgml b/en_US.ISO8859-1/books/handbook/install/chapter.sgml index 461afd6732..e364e005a3 100644 --- a/en_US.ISO8859-1/books/handbook/install/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/install/chapter.sgml @@ -3193,14 +3193,99 @@ Press [Enter] now to invoke an editor on /etc/exports Security Profile - A security profile is a set of configuration options that - attempts to achieve the desired ratio of security to convenience by - enabling and disabling certain programs and other settings. + A security profile is a set of + configuration options that attempts to achieve the desired + ratio of security to convenience by enabling and disabling + certain programs and other settings. The more severe the + security profile, the fewer programs will be enabled by + default. This is one of the basic principles of security: do + not run anything except what you must. - More information about security profiles can be found in the - - FreeBSD FAQ. + Please note that the security profile is just a default + setting. All programs can be enabled and disabled after you + have installed FreeBSD by editing or adding the appropriate + line(s) to /etc/rc.conf. For more + information, please see the &man.rc.conf.5; manual + page. + + The following table describes what each of the security + profiles does. The columns are the choices you have for a + security profile, and the rows are the program or feature that + the profile enables or disables. + + + Possible security profiles + + + + + + + Extreme + + Moderate + + + + + + + &man.sendmail.8; + + NO + + YES + + + + &man.sshd.8; + + NO + + YES + + + + &man.portmap.8; + + NO + + MAYBE + + The portmapper is enabled if the machine has + been configured as an NFS client or server earlier + in the installation. + + + + + + NFS server + + NO + + YES + + + + &man.securelevel.8; + + YES (2) + + If you choose a security profile that sets the + securelevel (Extreme or High), you must be aware + of the implications. Please read the &man.init.8; + manual page and pay particular attention to the + meanings of the security levels, or you may have + significant trouble later! + + + + NO + + + +
User Confirmation Requested Do you want to select a default security profile for this host (select @@ -3268,6 +3353,18 @@ To change any of these settings later, edit /etc/rc.conf Press Enter to continue with the post-installation configuration. + + + The security profile is not a silver bullet! Even if + you use the extreme setting, you need to keep up with + security issues by reading an appropriate mailing + list, using good passwords and passphrases, and + generally adhering to good security practices. It simply + sets up the desired security to convenience ratio out of the + box. + +