Date: Wed, 29 Aug 2001 17:06:42 -0400 (EDT) From: mwlucas@blackhelicopters.org To: FreeBSD-gnats-submit@freebsd.org Subject: docs/30203: description of security profiles in FAQ is just plain wrong Message-ID: <200108292106.RAA04371@blackhelicopters.org>
next in thread | raw e-mail | index | archive | help
>Number: 30203 >Category: docs >Synopsis: description of security profiles in FAQ is just plain wrong >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Aug 29 14:10:07 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Michael Lucas >Release: FreeBSD 3.5-STABLE i386 >Organization: None >Environment: current -doc tree >Description: Robert Watson recently took an axe to the security profiles available in sysinstall. There are now only two profiles available, moderate & extreme. This is my first -doc patch prepared entirely from reading actual source code, instead of from reading mailing lists. As such, I'm fully prepared to be told that I'm wrong. I've also cleaned up a couple of sentences and corrected some grammar. While I might be wrong on source code, I do know that using both a colon and a semicolon in one sentence is ugly. >How-To-Repeat: read the source of sysinstall >Fix: *** book.sgml-dist Wed Aug 29 13:19:01 2001 --- book.sgml Wed Aug 29 13:44:25 2001 *************** *** 2175,2229 **** </question> <answer> ! <para>A <quote>security profile</quote> is a set of configuration ! options that attempts to achieve the desired ratio of security ! to convenience by enabling and disabling certain programs and ! other settings. The more severe the security profile, the less ! programs will be enabled by default; this is one of the basic ! principles of security: do not run anything except what you ! must.</para> ! ! <para>Please note that the security profile is just a default ! setting. All programs can be enabled and disabled after you have ! installed FreeBSD by editing or adding the appropriate line(s) ! to <filename>/etc/rc.conf</filename>. For more information on ! the latter, please see the &man.rc.conf.5; manual page.</para> ! ! <para>Following is a table that describes what each security ! profile does. The columns are the choices you have for a ! security profile, and the rows are the program or feature that ! is enabled or disabled.</para> <table> <title>Possible security profiles</title> ! <tgroup cols=5> <thead> <row> <entry></entry> <entry>Extreme</entry> - <entry>High</entry> - <entry>Moderate</entry> - <entry>Low</entry> </row> </thead> <tbody> - <row> - <entry>&man.inetd.8;</entry> - - <entry>NO</entry> - - <entry>NO</entry> - - <entry>YES</entry> - - <entry>YES</entry> - </row> <row> <entry>&man.sendmail.8;</entry> --- 2175,2216 ---- </question> <answer> ! <para>A <quote>security profile</quote> is a set of ! configuration options that attempts to achieve the desired ! ratio of security to convenience by enabling and disabling ! certain programs and other settings. The more severe the ! security profile, the fewer programs will be enabled by ! default. This is one of the basic principles of security: ! do not run anything except what you must.</para> ! ! <para>Please note that the security profile is just a ! default setting. All programs can be enabled or disabled ! after you have installed FreeBSD by editing or adding the ! appropriate line(s) to <filename>/etc/rc.conf</filename>. ! For more information, please see the &man.rc.conf.5; ! manual page.</para> ! ! <para>Following is a table that describes what each of the ! security profiles does. The columns are the choices you ! have for a security profile, and the rows are the program ! or feature that the profile enables or disables.</para> <table> <title>Possible security profiles</title> ! <tgroup cols=3> <thead> <row> <entry></entry> <entry>Extreme</entry> <entry>Moderate</entry> </row> </thead> <tbody> <row> <entry>&man.sendmail.8;</entry> *************** *** 2232,2240 **** <entry>YES</entry> - <entry>YES</entry> - - <entry>YES</entry> </row> <row> --- 2219,2224 ---- *************** *** 2244,2252 **** <entry>YES</entry> - <entry>YES</entry> - - <entry>YES</entry> </row> <row> --- 2228,2233 ---- *************** *** 2254,2261 **** <entry>NO</entry> - <entry>NO</entry> - <entry>MAYBE <footnote> <para>The portmapper is enabled if the machine has been configured as an NFS client or server earlier in the --- 2235,2240 ---- *************** *** 2263,2269 **** </footnote> </entry> - <entry>YES</entry> </row> <row> --- 2242,2247 ---- *************** *** 2271,2281 **** <entry>NO</entry> - <entry>NO</entry> - <entry>YES</entry> - <entry>YES</entry> </row> <row> --- 2249,2256 ---- *************** *** 2291,2315 **** </footnote> </entry> - <entry>YES (1)</entry> - <entry>NO</entry> - <entry>NO</entry> </row> </tbody> </tgroup> </table> <warning> ! <para>The security profile is not a silver bullet! Setting ! it high does not mean you do not have to keep up with security ! issues by reading an appropriate <ulink url="../handbook/eresources.html#ERESOURCES-MAIL">mailing ! list</ulink>, using good passwords and passphrases, and ! generally adhering to good security practices. It simply ! sets up the desired security to convenience ratio out of ! the box.</para> </warning> <note> --- 2266,2288 ---- </footnote> </entry> <entry>NO</entry> </row> </tbody> </tgroup> </table> <warning> ! <para>The security profile is not a silver bullet! ! Even the extreme setting does not mean you do not ! have to keep up with security issues by reading an ! appropriate <ulink url="../handbook/eresources.html#ERESOURCES-MAIL">mailing ! list</ulink>, using good passwords and passphrases, ! and generally adhering to good security practices. ! It simply sets up the desired security to convenience ! ratio out of the box.</para> </warning> <note> >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108292106.RAA04371>