From dima@unixfreak.org  Wed Mar  7 19:05:09 2001
Return-Path: <dima@unixfreak.org>
Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138])
	by hub.freebsd.org (Postfix) with ESMTP id 9C65C37B718
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  7 Mar 2001 19:05:08 -0800 (PST)
	(envelope-from dima@unixfreak.org)
Received: from spike.unixfreak.org (spike [192.168.2.4])
	by bazooka.unixfreak.org (Postfix) with ESMTP id 2077C3E09
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  7 Mar 2001 19:05:07 -0800 (PST)
Received: (from dima@localhost)
	by spike.unixfreak.org (8.11.2/8.11.1) id f28356S07116;
	Wed, 7 Mar 2001 19:05:06 -0800 (PST)
	(envelope-from dima)
Message-Id: <200103080305.f28356S07116@spike.unixfreak.org>
Date: Wed, 7 Mar 2001 19:05:06 -0800 (PST)
From: dima@unixfreak.org
Reply-To: dima@unixfreak.org
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] New FAQ entry: describe sysinstall security profiles
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         25599
>Category:       docs
>Synopsis:       [PATCH] New FAQ entry: describe sysinstall security profiles
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    keichii
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 07 19:10:02 PST 2001
>Closed-Date:    Sun Apr 8 11:51:54 PDT 2001
>Last-Modified:  Sun Apr 08 11:52:12 PDT 2001
>Originator:     Dima Dorfman
>Release:        FreeBSD 5.0-20010225-CURRENT i386
>Organization:
Private
>Environment:
System: FreeBSD spike.unixfreak.org 5.0-20010225-CURRENT FreeBSD 5.0-20010225-CURRENT #9: Sun Feb 25 22:49:27 PST 2001 dima@spike.unixfreak.org:/c/home/dima/w/f/src/sys/compile/SPIKE i386


>Description:

Since security profiles were introduced in sysinstall, two things
happened.  First, a lot of people started having problems installing
kernels, et cetera because the High and Extreme security profiles
raised securelevel.  Second, a lot of people wanted to know exactly
what those security profiles do.  The first problem has pretty much
been dealt with by appropriate additions to the FAQ.  The second
problem remains.

The patch below adds another FAQ entry describing the different
security profiles to the Installation chapter.

>How-To-Repeat:

Read -questions.

>Fix:

Apply the following to doc/en_US.ISO_8859-1/books/faq/book.sgml:

Index: book.sgml
===================================================================
RCS file: /st/src/FreeBSD/doc/en_US.ISO_8859-1/books/faq/book.sgml,v
retrieving revision 1.147
diff -u -r1.147 book.sgml
--- book.sgml	2001/02/28 22:47:51	1.147
+++ book.sgml	2001/03/08 03:00:41
@@ -2421,6 +2421,170 @@
 
         </answer>
       </qandaentry>
+
+      <qandaentry>
+        <question id="security-profiles">
+          <para>What are these <quote>security profiles</quote>?</para>
+        </question>
+
+        <answer>
+          <para>A <quote>security profile</quote> is a set of configuration
+            options that attempts to achieve the desired ratio of security
+            to convenience by enabling and disabling certain programs and
+            other settings.  The more severe the security profile, the less
+            programs will be enabled by default; this is one of the basic
+            principles of security: do not run anything except what you
+            must.</para>
+
+          <para>Please note that the security profile is just a default
+            setting.  All programs can be enabled and disabled after you've
+            installed FreeBSD by editing or adding the appropriate line(s)
+            to <filename>/etc/rc.conf</filename>.  For more information on
+            the latter, please see the &man.rc.conf.5; manual page.</para>
+
+          <para>Following is a table that describes what each security
+            profile does.  The columns are the choices you have for a
+            security profile, and the rows are the program or feature that
+            is enabled or disabled.</para>
+
+          <table>
+            <title>Possible security profiles</title>
+
+             <tgroup cols=5>
+               <thead>
+                 <row>
+                   <entry></entry>
+
+                   <entry>Extreme</entry>
+
+                   <entry>High</entry>
+
+                   <entry>Moderate</entry>
+
+                   <entry>Low</entry>
+                 </row>
+               </thead>
+
+               <tbody>
+                 <row>
+                   <entry>&man.inetd.8;</entry>
+
+                   <entry>NO</entry>
+
+                   <entry>NO</entry>
+
+                   <entry>YES</entry>
+
+                   <entry>YES</entry>
+                 </row>
+
+                 <row>
+                   <entry>&man.sendmail.8;</entry>
+
+                   <entry>NO</entry>
+
+                   <entry>YES</entry>
+
+                   <entry>YES</entry>
+
+                   <entry>YES</entry>
+                 </row>
+
+                 <row>
+                   <entry>&man.sshd.8;</entry>
+ 
+                   <entry>NO</entry>
+
+                   <entry>YES</entry>
+
+                   <entry>YES</entry>
+
+                   <entry>YES</entry>
+                 </row>
+
+                 <row>
+                   <entry>&man.portmap.8;</entry>
+
+                   <entry>NO</entry>
+
+                   <entry>NO</entry>
+
+                   <entry>[1]</entry>
+
+                   <entry>YES</entry>
+                 </row>
+
+                 <row>
+                   <entry>NFS server</entry>
+
+                   <entry>NO</entry>
+
+                   <entry>NO</entry>
+
+                   <entry>YES</entry>
+
+                   <entry>YES</entry>
+                 </row>
+
+                 <row>
+                   <entry>man.securelevel.XXX</entry>
+
+                   <entry>YES (2) [2]</entry>
+
+                   <entry>YES (1) [2]</entry>
+
+                   <entry>NO</entry>
+
+                   <entry>NO</entry>
+                 </row>
+               </tbody>
+             </tgroup>
+           </table>
+
+           <para>Notes:</para>
+
+           <para>
+             <orderedlist>
+               <listitem>
+                 <para>The portmapper is enabled if the machine has been
+                   configured as an NFS client or server earlier in the
+                   installation.</para>
+               </listitem>
+
+               <listitem>
+                 <para>If you choose a security profile that sets the
+                   securelevel (Extreme or High), you must be aware of the
+                   implications.  Please read the &man.init.8; manual page
+                   and pay particular attention to the meanings of the
+                   security levels, or you may have significant trouble
+                   later!</para>
+               </listitem>
+             </orderedlist>
+           </para>
+
+           <para>
+             <warning>
+               <para>The security profile is not a silver bullet!  Setting
+                 it high does not mean you do have to keep up with security
+                 issues by reading an appropriate <ulink
+                 url="../handbook/eresources.html#ERESOURCES-MAIL">mailing
+                 list</ulink>, using good passwords and passphrases, and
+                 generally adhering to good security practices.  It simply
+                 sets up the desired security to convenience ration out of
+                 the box.</para>
+             </warning>
+ 
+             <note>
+               <para>The security profile mechanism is meant to be used
+                 when you first install FreeBSD.  If you already have
+                 FreeBSD installed, it would probably be more beneficial to
+                 simply enable or disable the desired functionality.  If
+                 you really want to use a security profile, you can re-run
+                 &man.sysinstall.8; to set it.</para>
+             </note>
+           </para>
+        </answer>
+      </qandaentry>
     </qandaset>
   </chapter>

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-doc->keichii 
Responsible-Changed-By: keichii 
Responsible-Changed-When: Thu Mar 8 08:07:17 PST 2001 
Responsible-Changed-Why:  
I will do this 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25599 
State-Changed-From-To: open->closed 
State-Changed-By: dd 
State-Changed-When: Sun Apr 8 11:51:54 PDT 2001 
State-Changed-Why:  
I've committed this (hope you don't mind). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25599 
>Unformatted:
