Date: Sun, 4 Mar 2001 22:06:24 -0800 (PST) From: dima@unixfreak.org To: FreeBSD-gnats-submit@freebsd.org Subject: bin/25537: [PATCH] Explain security profiles in sysinstall Message-ID: <200103050606.f2566Ov36612@spike.unixfreak.org>
next in thread | raw e-mail | index | archive | help
>Number: 25537
>Category: bin
>Synopsis: [PATCH] Explain security profiles in sysinstall
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun Mar 04 22:10:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Dima Dorfman
>Release: FreeBSD 5.0-20010225-CURRENT i386
>Organization:
Private
>Environment:
System: FreeBSD spike.unixfreak.org 5.0-20010225-CURRENT FreeBSD 5.0-20010225-CURRENT #9: Sun Feb 25 22:49:27 PST 2001 dima@spike.unixfreak.org:/c/home/dima/w/f/src/sys/compile/SPIKE i386
>Description:
Since security profiles were introduced in sysinstall, two things
happened. First, a lot of people started having problems installing
kernels, et cetera because the High and Extreme security profiles
raised securelevel. Second, a lot of people wanted to know exactly
what those security profiles do. The first problem has pretty much
been dealt with by appropriate additions to the FAQ. The second
problem remains.
>How-To-Repeat:
Read -questions.
>Fix:
I propose we add a help screen to the menu in sysinstall where one can
select a security profile. Sysinstall already has a mechanism to do
this; the help screen is displayed when a user pushes "F1" (at least
on U.S. keyboards).
The following patch implements the above suggestion. The feature
table was written by Michael Lea <mlea@atomicbluebear.org> and
submitted via freebsd-security (see "Re: security settings
documentation" on freebsd-security around Feb. 14 2001); consequently,
if this is commited, he should be credited in the commit log.
The patch adds a new file, help/secprofile.hlp (under src/usr.sbin/sysinstall).
Index: menus.c
===================================================================
RCS file: /st/src/FreeBSD/src/usr.sbin/sysinstall/menus.c,v
retrieving revision 1.288
diff -u -r1.288 menus.c
--- menus.c 2001/02/09 19:01:48 1.288
+++ menus.c 2001/03/05 05:44:39
@@ -1609,7 +1609,7 @@
"be \"appropriate\" values in that category for various\n"
"security-related knobs in /etc/rc.conf.",
"Select a canned security profile.",
- NULL,
+ "secprofile",
{ { "X Exit", "Exit this menu (returning to previous)", NULL, configSecurityModerate },
{ "Low", "Fairly wide-open (little) security.", NULL, configSecurityLiberal },
{ "Medium", "Moderate security settings [DEFAULT].", NULL, configSecurityModerate },
--- /dev/null Sun Mar 4 21:34:46 2001
+++ help/secprofile.hlp Sun Mar 4 21:35:20 2001
@@ -0,0 +1,47 @@
+This menu allows you to configure your system's "security profile." A
+security profile is a set of configuration options that attempts to
+achieve the desired ratio of security to convenience by enabling and
+disabling certain programs and other settings. The more severe the
+security profile, the less programs will be enabled by default; this
+is one of the basic principles of security: do not run anything except
+what you must.
+
+Please note that the security profile is just a default setting. All
+programs can be enabled and disabled later by editing or adding the
+appropriate line(s) to /etc/rc.conf. For more information on the
+latter, please see the rc.conf(5) manual page once you have installed
+FreeBSD.
+
+Following is a table that describes what each security profile does.
+The columns are the choices you have for a security profile, and the
+rows are the program or feature that is enabled or disabled.
+
+ Extreme High Moderate Low
+inetd NO NO YES YES
+sendmail NO YES YES YES
+sshd NO YES YES YES
+portmap NO NO [1] YES
+NFS server NO NO YES YES
+securelevel YES (2) [2] YES (1) [2] NO NO
+
+NOTES:
+
+[1] The portmapper is enabled if the machine has been configured as an
+ NFS client or server earlier in the installation.
+
+[2] For Extreme, the securelevel is set to 2; for High, it is set to
+ 1. If you choose either of these, you must be aware of the
+ implications of securelevel. Please read the init(8) manual page and
+ the FAQ, or you may have problems performing such tasks as
+ installing a new kernel, changing the system date, or upgrading to a
+ later version of FreeBSD.
+
+WARNING: The security profile is not a silver bullet! Setting it high
+does not mean you do not have to keep up with security issues by
+reading an appropriate mailing list (one where the security advisories
+are sent), using good passwords and passphrases, and generally
+adhering to good security practices. It simply sets up the desired
+security to convenience ratio out of the box.
+
+You can always change any of these settings by editing or adding the
+appropriate line(s) to /etc/rc.conf.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103050606.f2566Ov36612>