Date: Wed, 29 Aug 2001 17:06:42 -0400 (EDT) From: mwlucas@blackhelicopters.org To: FreeBSD-gnats-submit@freebsd.org Subject: docs/30203: description of security profiles in FAQ is just plain wrong Message-ID: <200108292106.RAA04371@blackhelicopters.org>
next in thread | raw e-mail | index | archive | help
>Number: 30203
>Category: docs
>Synopsis: description of security profiles in FAQ is just plain wrong
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 29 14:10:07 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Michael Lucas
>Release: FreeBSD 3.5-STABLE i386
>Organization:
None
>Environment:
current -doc tree
>Description:
Robert Watson recently took an axe to the security profiles available
in sysinstall. There are now only two profiles available, moderate &
extreme.
This is my first -doc patch prepared entirely from reading actual
source code, instead of from reading mailing lists. As such, I'm
fully prepared to be told that I'm wrong.
I've also cleaned up a couple of sentences and corrected some grammar.
While I might be wrong on source code, I do know that using both a
colon and a semicolon in one sentence is ugly.
>How-To-Repeat:
read the source of sysinstall
>Fix:
*** book.sgml-dist Wed Aug 29 13:19:01 2001
--- book.sgml Wed Aug 29 13:44:25 2001
***************
*** 2175,2229 ****
</question>
<answer>
! <para>A <quote>security profile</quote> is a set of configuration
! options that attempts to achieve the desired ratio of security
! to convenience by enabling and disabling certain programs and
! other settings. The more severe the security profile, the less
! programs will be enabled by default; this is one of the basic
! principles of security: do not run anything except what you
! must.</para>
!
! <para>Please note that the security profile is just a default
! setting. All programs can be enabled and disabled after you have
! installed FreeBSD by editing or adding the appropriate line(s)
! to <filename>/etc/rc.conf</filename>. For more information on
! the latter, please see the &man.rc.conf.5; manual page.</para>
!
! <para>Following is a table that describes what each security
! profile does. The columns are the choices you have for a
! security profile, and the rows are the program or feature that
! is enabled or disabled.</para>
<table>
<title>Possible security profiles</title>
! <tgroup cols=5>
<thead>
<row>
<entry></entry>
<entry>Extreme</entry>
- <entry>High</entry>
-
<entry>Moderate</entry>
- <entry>Low</entry>
</row>
</thead>
<tbody>
- <row>
- <entry>&man.inetd.8;</entry>
-
- <entry>NO</entry>
-
- <entry>NO</entry>
-
- <entry>YES</entry>
-
- <entry>YES</entry>
- </row>
<row>
<entry>&man.sendmail.8;</entry>
--- 2175,2216 ----
</question>
<answer>
! <para>A <quote>security profile</quote> is a set of
! configuration options that attempts to achieve the desired
! ratio of security to convenience by enabling and disabling
! certain programs and other settings. The more severe the
! security profile, the fewer programs will be enabled by
! default. This is one of the basic principles of security:
! do not run anything except what you must.</para>
!
! <para>Please note that the security profile is just a
! default setting. All programs can be enabled or disabled
! after you have installed FreeBSD by editing or adding the
! appropriate line(s) to <filename>/etc/rc.conf</filename>.
! For more information, please see the &man.rc.conf.5;
! manual page.</para>
!
! <para>Following is a table that describes what each of the
! security profiles does. The columns are the choices you
! have for a security profile, and the rows are the program
! or feature that the profile enables or disables.</para>
<table>
<title>Possible security profiles</title>
! <tgroup cols=3>
<thead>
<row>
<entry></entry>
<entry>Extreme</entry>
<entry>Moderate</entry>
</row>
</thead>
<tbody>
<row>
<entry>&man.sendmail.8;</entry>
***************
*** 2232,2240 ****
<entry>YES</entry>
- <entry>YES</entry>
-
- <entry>YES</entry>
</row>
<row>
--- 2219,2224 ----
***************
*** 2244,2252 ****
<entry>YES</entry>
- <entry>YES</entry>
-
- <entry>YES</entry>
</row>
<row>
--- 2228,2233 ----
***************
*** 2254,2261 ****
<entry>NO</entry>
- <entry>NO</entry>
-
<entry>MAYBE <footnote>
<para>The portmapper is enabled if the machine has been
configured as an NFS client or server earlier in the
--- 2235,2240 ----
***************
*** 2263,2269 ****
</footnote>
</entry>
- <entry>YES</entry>
</row>
<row>
--- 2242,2247 ----
***************
*** 2271,2281 ****
<entry>NO</entry>
- <entry>NO</entry>
-
<entry>YES</entry>
- <entry>YES</entry>
</row>
<row>
--- 2249,2256 ----
***************
*** 2291,2315 ****
</footnote>
</entry>
- <entry>YES (1)</entry>
-
<entry>NO</entry>
- <entry>NO</entry>
</row>
</tbody>
</tgroup>
</table>
<warning>
! <para>The security profile is not a silver bullet! Setting
! it high does not mean you do not have to keep up with security
! issues by reading an appropriate <ulink
url="../handbook/eresources.html#ERESOURCES-MAIL">mailing
! list</ulink>, using good passwords and passphrases, and
! generally adhering to good security practices. It simply
! sets up the desired security to convenience ratio out of
! the box.</para>
</warning>
<note>
--- 2266,2288 ----
</footnote>
</entry>
<entry>NO</entry>
</row>
</tbody>
</tgroup>
</table>
<warning>
! <para>The security profile is not a silver bullet!
! Even the extreme setting does not mean you do not
! have to keep up with security issues by reading an
! appropriate <ulink
url="../handbook/eresources.html#ERESOURCES-MAIL">mailing
! list</ulink>, using good passwords and passphrases,
! and generally adhering to good security practices.
! It simply sets up the desired security to convenience
! ratio out of the box.</para>
</warning>
<note>
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108292106.RAA04371>