From owner-freebsd-bugs Sun Mar 4 22:10: 8 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8225737B71B for ; Sun, 4 Mar 2001 22:10:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f256A1V29324; Sun, 4 Mar 2001 22:10:01 -0800 (PST) (envelope-from gnats) Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138]) by hub.freebsd.org (Postfix) with ESMTP id 4C9C437B71A for ; Sun, 4 Mar 2001 22:06:27 -0800 (PST) (envelope-from dima@unixfreak.org) Received: from spike.unixfreak.org (spike [192.168.2.4]) by bazooka.unixfreak.org (Postfix) with ESMTP id CBE453E0D for ; Sun, 4 Mar 2001 22:06:24 -0800 (PST) Received: (from dima@localhost) by spike.unixfreak.org (8.11.2/8.11.1) id f2566Ov36612; Sun, 4 Mar 2001 22:06:24 -0800 (PST) (envelope-from dima) Message-Id: <200103050606.f2566Ov36612@spike.unixfreak.org> Date: Sun, 4 Mar 2001 22:06:24 -0800 (PST) From: dima@unixfreak.org Reply-To: dima@unixfreak.org To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: bin/25537: [PATCH] Explain security profiles in sysinstall Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 25537 >Category: bin >Synopsis: [PATCH] Explain security profiles in sysinstall >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sun Mar 04 22:10:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Dima Dorfman >Release: FreeBSD 5.0-20010225-CURRENT i386 >Organization: Private >Environment: System: FreeBSD spike.unixfreak.org 5.0-20010225-CURRENT FreeBSD 5.0-20010225-CURRENT #9: Sun Feb 25 22:49:27 PST 2001 dima@spike.unixfreak.org:/c/home/dima/w/f/src/sys/compile/SPIKE i386 >Description: Since security profiles were introduced in sysinstall, two things happened. First, a lot of people started having problems installing kernels, et cetera because the High and Extreme security profiles raised securelevel. Second, a lot of people wanted to know exactly what those security profiles do. The first problem has pretty much been dealt with by appropriate additions to the FAQ. The second problem remains. >How-To-Repeat: Read -questions. >Fix: I propose we add a help screen to the menu in sysinstall where one can select a security profile. Sysinstall already has a mechanism to do this; the help screen is displayed when a user pushes "F1" (at least on U.S. keyboards). The following patch implements the above suggestion. The feature table was written by Michael Lea and submitted via freebsd-security (see "Re: security settings documentation" on freebsd-security around Feb. 14 2001); consequently, if this is commited, he should be credited in the commit log. The patch adds a new file, help/secprofile.hlp (under src/usr.sbin/sysinstall). Index: menus.c =================================================================== RCS file: /st/src/FreeBSD/src/usr.sbin/sysinstall/menus.c,v retrieving revision 1.288 diff -u -r1.288 menus.c --- menus.c 2001/02/09 19:01:48 1.288 +++ menus.c 2001/03/05 05:44:39 @@ -1609,7 +1609,7 @@ "be \"appropriate\" values in that category for various\n" "security-related knobs in /etc/rc.conf.", "Select a canned security profile.", - NULL, + "secprofile", { { "X Exit", "Exit this menu (returning to previous)", NULL, configSecurityModerate }, { "Low", "Fairly wide-open (little) security.", NULL, configSecurityLiberal }, { "Medium", "Moderate security settings [DEFAULT].", NULL, configSecurityModerate }, --- /dev/null Sun Mar 4 21:34:46 2001 +++ help/secprofile.hlp Sun Mar 4 21:35:20 2001 @@ -0,0 +1,47 @@ +This menu allows you to configure your system's "security profile." A +security profile is a set of configuration options that attempts to +achieve the desired ratio of security to convenience by enabling and +disabling certain programs and other settings. The more severe the +security profile, the less programs will be enabled by default; this +is one of the basic principles of security: do not run anything except +what you must. + +Please note that the security profile is just a default setting. All +programs can be enabled and disabled later by editing or adding the +appropriate line(s) to /etc/rc.conf. For more information on the +latter, please see the rc.conf(5) manual page once you have installed +FreeBSD. + +Following is a table that describes what each security profile does. +The columns are the choices you have for a security profile, and the +rows are the program or feature that is enabled or disabled. + + Extreme High Moderate Low +inetd NO NO YES YES +sendmail NO YES YES YES +sshd NO YES YES YES +portmap NO NO [1] YES +NFS server NO NO YES YES +securelevel YES (2) [2] YES (1) [2] NO NO + +NOTES: + +[1] The portmapper is enabled if the machine has been configured as an + NFS client or server earlier in the installation. + +[2] For Extreme, the securelevel is set to 2; for High, it is set to + 1. If you choose either of these, you must be aware of the + implications of securelevel. Please read the init(8) manual page and + the FAQ, or you may have problems performing such tasks as + installing a new kernel, changing the system date, or upgrading to a + later version of FreeBSD. + +WARNING: The security profile is not a silver bullet! Setting it high +does not mean you do not have to keep up with security issues by +reading an appropriate mailing list (one where the security advisories +are sent), using good passwords and passphrases, and generally +adhering to good security practices. It simply sets up the desired +security to convenience ratio out of the box. + +You can always change any of these settings by editing or adding the +appropriate line(s) to /etc/rc.conf. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message