diff options
author | Michael Lucas <mwlucas@FreeBSD.org> | 2002-01-23 09:39:24 +0000 |
---|---|---|
committer | Michael Lucas <mwlucas@FreeBSD.org> | 2002-01-23 09:39:24 +0000 |
commit | bbe81cf2d846ef5ffba141f209b775479ef73c6d (patch) | |
tree | a77bce94f5391d84c001c6af68bef99db6844100 | |
parent | 0d2965eea70550d4318159a26a052053535e0492 (diff) | |
download | doc-bbe81cf2d846ef5ffba141f209b775479ef73c6d.tar.gz doc-bbe81cf2d846ef5ffba141f209b775479ef73c6d.zip |
The only place you're supposed to use security profiles is when
installing. So, why does the install chapter refer to the FAQ for a
description of the security profiles rather than having it in-line?
Descriptions moved to post-install handbook.
Notes
Notes:
svn path=/head/; revision=11843
-rw-r--r-- | en_US.ISO8859-1/books/handbook/install/chapter.sgml | 111 |
1 files changed, 104 insertions, 7 deletions
diff --git a/en_US.ISO8859-1/books/handbook/install/chapter.sgml b/en_US.ISO8859-1/books/handbook/install/chapter.sgml index 461afd6732..e364e005a3 100644 --- a/en_US.ISO8859-1/books/handbook/install/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/install/chapter.sgml @@ -3193,14 +3193,99 @@ Press [Enter] now to invoke an editor on /etc/exports <sect2 id="securityprofile"> <title>Security Profile</title> - <para>A security profile is a set of configuration options that - attempts to achieve the desired ratio of security to convenience by - enabling and disabling certain programs and other settings.</para> + <para>A <quote>security profile</quote> is a set of + configuration options that attempts to achieve the desired + ratio of security to convenience by enabling and disabling + certain programs and other settings. The more severe the + security profile, the fewer programs will be enabled by + default. This is one of the basic principles of security: do + not run anything except what you must.</para> + + <para>Please note that the security profile is just a default + setting. All programs can be enabled and disabled after you + have installed FreeBSD by editing or adding the appropriate + line(s) to <filename>/etc/rc.conf</filename>. For more + information, please see the &man.rc.conf.5; manual + page.</para> + + <para>The following table describes what each of the security + profiles does. The columns are the choices you have for a + security profile, and the rows are the program or feature that + the profile enables or disables.</para> + + <table> + <title>Possible security profiles</title> + + <tgroup cols=3> + <thead> + <row> + <entry></entry> - <para>More information about security profiles can be found in the - <ulink - url="../faq/install.html#SECURITY-PROFILES"> - FreeBSD FAQ</ulink>.</para> + <entry>Extreme</entry> + + <entry>Moderate</entry> + </row> + </thead> + + <tbody> + + <row> + <entry>&man.sendmail.8;</entry> + + <entry>NO</entry> + + <entry>YES</entry> + </row> + + <row> + <entry>&man.sshd.8;</entry> + + <entry>NO</entry> + + <entry>YES</entry> + </row> + + <row> + <entry>&man.portmap.8;</entry> + + <entry>NO</entry> + + <entry>MAYBE + <footnote> + <para>The portmapper is enabled if the machine has + been configured as an NFS client or server earlier + in the installation.</para> + </footnote> + </entry> + </row> + + <row> + <entry>NFS server</entry> + + <entry>NO</entry> + + <entry>YES</entry> + </row> + + <row> + <entry>&man.securelevel.8;</entry> + + <entry>YES (2) + <footnote> + <para>If you choose a security profile that sets the + securelevel (Extreme or High), you must be aware + of the implications. Please read the &man.init.8; + manual page and pay particular attention to the + meanings of the security levels, or you may have + significant trouble later!</para> + </footnote> + </entry> + + <entry>NO</entry> + </row> + </tbody> + </tgroup> + </table> <screen> User Confirmation Requested Do you want to select a default security profile for this host (select @@ -3268,6 +3353,18 @@ To change any of these settings later, edit /etc/rc.conf <para>Press <keycap>Enter</keycap> to continue with the post-installation configuration.</para> + + <warning> + <para>The security profile is not a silver bullet! Even if + you use the extreme setting, you need to keep up with + security issues by reading an appropriate <ulink + url="../handbook/eresources.html#ERESOURCES-MAIL">mailing + list</ulink>, using good passwords and passphrases, and + generally adhering to good security practices. It simply + sets up the desired security to convenience ratio out of the + box.</para> + </warning> + </sect2> <sect2 id="console"> |