The only place you're supposed to use security profiles is when

installing.  So, why does the install chapter refer to the FAQ for a
description of the security profiles rather than having it in-line?

Descriptions moved to post-install handbook.

1 files changed, 104 insertions, 7 deletions

diff --git a/en_US.ISO8859-1/books/handbook/install/chapter.sgml b/en_US.ISO8859-1/books/handbook/install/chapter.sgml
index 461afd6732..e364e005a3 100644
--- a/en_US.ISO8859-1/books/handbook/install/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/install/chapter.sgml
@@ -3193,14 +3193,99 @@ Press [Enter] now to invoke an editor on /etc/exports
     <sect2 id="securityprofile">
       <title>Security Profile</title>
 
-      <para>A security profile is a set of configuration options that
-	attempts to achieve the desired ratio of security to convenience by
-	enabling and disabling certain programs and other settings.</para>
+      <para>A <quote>security profile</quote> is a set of
+	configuration options that attempts to achieve the desired
+	ratio of security to convenience by enabling and disabling
+	certain programs and other settings.  The more severe the
+	security profile, the fewer programs will be enabled by
+	default.  This is one of the basic principles of security: do
+	not run anything except what you must.</para>
+
+      <para>Please note that the security profile is just a default
+	setting.  All programs can be enabled and disabled after you
+	have installed FreeBSD by editing or adding the appropriate
+	line(s) to <filename>/etc/rc.conf</filename>.  For more
+	information, please see the &man.rc.conf.5; manual
+	page.</para>
+
+      <para>The following table describes what each of the security
+	profiles does.  The columns are the choices you have for a
+	security profile, and the rows are the program or feature that
+	the profile enables or disables.</para>
+
+      <table>
+	<title>Possible security profiles</title>
+
+	<tgroup cols=3>
+	  <thead>
+	    <row>
+	      <entry></entry>
 
-      <para>More information about security profiles can be found in the
-	<ulink
-	url="../faq/install.html#SECURITY-PROFILES">
-	  FreeBSD FAQ</ulink>.</para>
+	      <entry>Extreme</entry>
+
+	      <entry>Moderate</entry>
+	    </row>
+	  </thead>
+
+	  <tbody>
+
+	    <row>
+	      <entry>&man.sendmail.8;</entry>
+
+	      <entry>NO</entry>
+
+	      <entry>YES</entry>
+	    </row>
+
+	    <row>
+	      <entry>&man.sshd.8;</entry>
+
+	      <entry>NO</entry>
+
+	      <entry>YES</entry>
+	    </row>
+
+	    <row>
+	      <entry>&man.portmap.8;</entry>
+
+	      <entry>NO</entry>
+
+	      <entry>MAYBE
+		<footnote>
+		  <para>The portmapper is enabled if the machine has
+		    been configured as an NFS client or server earlier
+		    in the installation.</para>
+		</footnote>
+	      </entry>
+	    </row>
+
+	    <row>
+	      <entry>NFS server</entry>
+
+	      <entry>NO</entry>
+
+	      <entry>YES</entry>
+	    </row>
+
+	    <row>
+	      <entry>&man.securelevel.8;</entry>
+
+	      <entry>YES (2)
+		<footnote>
+		  <para>If you choose a security profile that sets the
+		    securelevel (Extreme or High), you must be aware
+		    of the implications.  Please read the &man.init.8;
+		    manual page and pay particular attention to the
+		    meanings of the security levels, or you may have
+		    significant trouble later!</para>
+		</footnote>
+	      </entry>
+
+	      <entry>NO</entry>
+	    </row>
+	  </tbody>
+	</tgroup>
+      </table>
 
       <screen>                       User Confirmation Requested
  Do you want to select a default security profile for this host (select
@@ -3268,6 +3353,18 @@ To change any of these settings later, edit /etc/rc.conf
 
       <para>Press <keycap>Enter</keycap> to continue with the
 	post-installation configuration.</para>
+
+      <warning>
+	<para>The security profile is not a silver bullet!  Even if
+	  you use the extreme setting, you need to keep up with
+	  security issues by reading an appropriate <ulink
+	  url="../handbook/eresources.html#ERESOURCES-MAIL">mailing
+	  list</ulink>, using good passwords and passphrases, and
+	  generally adhering to good security practices.  It simply
+	  sets up the desired security to convenience ratio out of the
+	  box.</para>
+      </warning>
+
     </sect2>
 
     <sect2 id="console">