Date: Thu, 30 Aug 2001 15:30:01 -0700 (PDT) From: Michael Lucas <mwlucas@blackhelicopters.org> To: freebsd-doc@freebsd.org Subject: Re: docs/30203: description of security profiles in FAQ is just plain wrong Message-ID: <200108302230.f7UMU1Z66616@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR docs/30203; it has been noted by GNATS. From: Michael Lucas <mwlucas@blackhelicopters.org> To: Dima Dorfman <dima@unixfreak.org> Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: docs/30203: description of security profiles in FAQ is just plain wrong Date: Thu, 30 Aug 2001 18:22:46 -0400 --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Aug 30, 2001 at 03:00:25AM -0700, Dima Dorfman wrote: > Why did all these lines get replaced? Because my fingers are trained to automatically type esc-Q. :) Is this more like it? -- Michael Lucas mwlucas@blackhelicopters.org http://www.blackhelicopters.org/~mwlucas/ Big Scary Daemons: http://www.oreillynet.com/pub/q/Big_Scary_Daemons --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="secprof.2" --- book.sgml-dist Thu Aug 30 11:10:07 2001 +++ book.sgml-secprof Thu Aug 30 11:10:03 2001 @@ -2178,52 +2178,38 @@ <para>A <quote>security profile</quote> is a set of configuration options that attempts to achieve the desired ratio of security to convenience by enabling and disabling certain programs and - other settings. The more severe the security profile, the less - programs will be enabled by default; this is one of the basic - principles of security: do not run anything except what you - must.</para> + other settings. The more severe the security profile, the fewer + programs will be enabled by + default. This is one of the basic principles of security: + do not run anything except what you must.</para> <para>Please note that the security profile is just a default setting. All programs can be enabled and disabled after you have installed FreeBSD by editing or adding the appropriate line(s) - to <filename>/etc/rc.conf</filename>. For more information on - the latter, please see the &man.rc.conf.5; manual page.</para> + to <filename>/etc/rc.conf</filename>. For more information, + please see the &man.rc.conf.5; manual page.</para> - <para>Following is a table that describes what each security - profile does. The columns are the choices you have for a - security profile, and the rows are the program or feature that - is enabled or disabled.</para> + <para>The following table describes what each of the + security profiles does. The columns are the choices you + have for a security profile, and the rows are the program + or feature that the profile enables or disables.</para> <table> <title>Possible security profiles</title> - <tgroup cols=5> + <tgroup cols=3> <thead> <row> <entry></entry> <entry>Extreme</entry> - <entry>High</entry> - <entry>Moderate</entry> - <entry>Low</entry> </row> </thead> <tbody> - <row> - <entry>&man.inetd.8;</entry> - - <entry>NO</entry> - - <entry>NO</entry> - - <entry>YES</entry> - - <entry>YES</entry> - </row> <row> <entry>&man.sendmail.8;</entry> @@ -2232,9 +2218,6 @@ <entry>YES</entry> - <entry>YES</entry> - - <entry>YES</entry> </row> <row> @@ -2244,9 +2227,6 @@ <entry>YES</entry> - <entry>YES</entry> - - <entry>YES</entry> </row> <row> @@ -2254,8 +2234,6 @@ <entry>NO</entry> - <entry>NO</entry> - <entry>MAYBE <footnote> <para>The portmapper is enabled if the machine has been configured as an NFS client or server earlier in the @@ -2263,7 +2241,6 @@ </footnote> </entry> - <entry>YES</entry> </row> <row> @@ -2271,11 +2248,8 @@ <entry>NO</entry> - <entry>NO</entry> - <entry>YES</entry> - <entry>YES</entry> </row> <row> @@ -2291,19 +2265,16 @@ </footnote> </entry> - <entry>YES (1)</entry> - <entry>NO</entry> - <entry>NO</entry> </row> </tbody> </tgroup> </table> <warning> - <para>The security profile is not a silver bullet! Setting - it high does not mean you do not have to keep up with security + <para>The security profile is not a silver bullet! Even if you use the + extreme setting, you need to keep up with security issues by reading an appropriate <ulink url="../handbook/eresources.html#ERESOURCES-MAIL">mailing list</ulink>, using good passwords and passphrases, and @@ -2311,6 +2282,7 @@ sets up the desired security to convenience ratio out of the box.</para> </warning> + <note> <para>The security profile mechanism is meant to be used --lrZ03NoBR/3+SXJZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108302230.f7UMU1Z66616>