From mwlucas@blackhelicopters.org Wed Aug 29 14:06:43 2001 Return-Path: Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 77C9E37B406 for ; Wed, 29 Aug 2001 14:06:43 -0700 (PDT) (envelope-from mwlucas@blackhelicopters.org) Received: (from mwlucas@localhost) by blackhelicopters.org (8.9.3/8.9.3) id RAA04371; Wed, 29 Aug 2001 17:06:42 -0400 (EDT) (envelope-from mwlucas) Message-Id: <200108292106.RAA04371@blackhelicopters.org> Date: Wed, 29 Aug 2001 17:06:42 -0400 (EDT) From: mwlucas@blackhelicopters.org Reply-To: mwlucas@blackhelicopters.org To: FreeBSD-gnats-submit@freebsd.org Subject: description of security profiles in FAQ is just plain wrong X-Send-Pr-Version: 3.2 >Number: 30203 >Category: docs >Synopsis: description of security profiles in FAQ is just plain wrong >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: closed >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Aug 29 14:10:07 PDT 2001 >Closed-Date: Fri Aug 31 09:24:54 PDT 2001 >Last-Modified: Fri Aug 31 09:30:00 PDT 2001 >Originator: Michael Lucas >Release: FreeBSD 3.5-STABLE i386 >Organization: None >Environment: current -doc tree >Description: Robert Watson recently took an axe to the security profiles available in sysinstall. There are now only two profiles available, moderate & extreme. This is my first -doc patch prepared entirely from reading actual source code, instead of from reading mailing lists. As such, I'm fully prepared to be told that I'm wrong. I've also cleaned up a couple of sentences and corrected some grammar. While I might be wrong on source code, I do know that using both a colon and a semicolon in one sentence is ugly. >How-To-Repeat: read the source of sysinstall >Fix: *** book.sgml-dist Wed Aug 29 13:19:01 2001 --- book.sgml Wed Aug 29 13:44:25 2001 *************** *** 2175,2229 **** ! A security profile is a set of configuration ! options that attempts to achieve the desired ratio of security ! to convenience by enabling and disabling certain programs and ! other settings. The more severe the security profile, the less ! programs will be enabled by default; this is one of the basic ! principles of security: do not run anything except what you ! must. ! ! Please note that the security profile is just a default ! setting. All programs can be enabled and disabled after you have ! installed FreeBSD by editing or adding the appropriate line(s) ! to /etc/rc.conf. For more information on ! the latter, please see the &man.rc.conf.5; manual page. ! ! Following is a table that describes what each security ! profile does. The columns are the choices you have for a ! security profile, and the rows are the program or feature that ! is enabled or disabled. Possible security profiles ! Extreme - High - Moderate - Low - - &man.inetd.8; - - NO - - NO - - YES - - YES - &man.sendmail.8; --- 2175,2216 ---- ! A security profile is a set of ! configuration options that attempts to achieve the desired ! ratio of security to convenience by enabling and disabling ! certain programs and other settings. The more severe the ! security profile, the fewer programs will be enabled by ! default. This is one of the basic principles of security: ! do not run anything except what you must. ! ! Please note that the security profile is just a ! default setting. All programs can be enabled or disabled ! after you have installed FreeBSD by editing or adding the ! appropriate line(s) to /etc/rc.conf. ! For more information, please see the &man.rc.conf.5; ! manual page. ! ! Following is a table that describes what each of the ! security profiles does. The columns are the choices you ! have for a security profile, and the rows are the program ! or feature that the profile enables or disables.
Possible security profiles ! Extreme Moderate &man.sendmail.8; *************** *** 2232,2240 **** YES - YES - - YES --- 2219,2224 ---- *************** *** 2244,2252 **** YES - YES - - YES --- 2228,2233 ---- *************** *** 2254,2261 **** NO - NO - MAYBE The portmapper is enabled if the machine has been configured as an NFS client or server earlier in the --- 2235,2240 ---- *************** *** 2263,2269 **** - YES --- 2242,2247 ---- *************** *** 2271,2281 **** NO - NO - YES - YES --- 2249,2256 ---- *************** *** 2291,2315 **** - YES (1) - NO - NO
! The security profile is not a silver bullet! Setting ! it high does not mean you do not have to keep up with security ! issues by reading an appropriate mailing ! list, using good passwords and passphrases, and ! generally adhering to good security practices. It simply ! sets up the desired security to convenience ratio out of ! the box. --- 2266,2288 ---- NO ! The security profile is not a silver bullet! ! Even the extreme setting does not mean you do not ! have to keep up with security issues by reading an ! appropriate mailing ! list, using good passwords and passphrases, ! and generally adhering to good security practices. ! It simply sets up the desired security to convenience ! ratio out of the box. >Release-Note: >Audit-Trail: From: Dima Dorfman To: mwlucas@blackhelicopters.org Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: docs/30203: description of security profiles in FAQ is just plain wrong Date: Thu, 30 Aug 2001 03:00:25 -0700 mwlucas@blackhelicopters.org wrote: > >Fix: > > *** book.sgml-dist Wed Aug 29 13:19:01 2001 > --- book.sgml Wed Aug 29 13:44:25 2001 > *************** > *** 2175,2229 **** > > > > ! A security profile is a set of configuration > ! options that attempts to achieve the desired ratio of security > ! to convenience by enabling and disabling certain programs and > ! other settings. The more severe the security profile, the less > ! programs will be enabled by default; this is one of the basic > ! principles of security: do not run anything except what you > ! must. Why did all these lines get replaced? I can't tell what you changed except for the last sentence. Please try to minimize the amount of lines changed to make reviewers' and translators' lives easier. It's okay if the resulting paragraph isn't filled (e.g., some lines are too short, some overly long)--whoever commits it can fill it for you. The same applies to some of the other paragraphs. Other than that and a few minor markup nits, this looks pretty good. However, please submit the updated version (fixing the problem my previous paragraph describes) as a unified diff; that'd make it easier to read. Thanks. From: Michael Lucas To: Dima Dorfman Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: docs/30203: description of security profiles in FAQ is just plain wrong Date: Thu, 30 Aug 2001 18:22:46 -0400 --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Aug 30, 2001 at 03:00:25AM -0700, Dima Dorfman wrote: > Why did all these lines get replaced? Because my fingers are trained to automatically type esc-Q. :) Is this more like it? -- Michael Lucas mwlucas@blackhelicopters.org http://www.blackhelicopters.org/~mwlucas/ Big Scary Daemons: http://www.oreillynet.com/pub/q/Big_Scary_Daemons --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="secprof.2" --- book.sgml-dist Thu Aug 30 11:10:07 2001 +++ book.sgml-secprof Thu Aug 30 11:10:03 2001 @@ -2178,52 +2178,38 @@ A security profile is a set of configuration options that attempts to achieve the desired ratio of security to convenience by enabling and disabling certain programs and - other settings. The more severe the security profile, the less - programs will be enabled by default; this is one of the basic - principles of security: do not run anything except what you - must. + other settings. The more severe the security profile, the fewer + programs will be enabled by + default. This is one of the basic principles of security: + do not run anything except what you must. Please note that the security profile is just a default setting. All programs can be enabled and disabled after you have installed FreeBSD by editing or adding the appropriate line(s) - to /etc/rc.conf. For more information on - the latter, please see the &man.rc.conf.5; manual page. + to /etc/rc.conf. For more information, + please see the &man.rc.conf.5; manual page. - Following is a table that describes what each security - profile does. The columns are the choices you have for a - security profile, and the rows are the program or feature that - is enabled or disabled. + The following table describes what each of the + security profiles does. The columns are the choices you + have for a security profile, and the rows are the program + or feature that the profile enables or disables. Possible security profiles - + Extreme - High - Moderate - Low - - &man.inetd.8; - - NO - - NO - - YES - - YES - &man.sendmail.8; @@ -2232,9 +2218,6 @@ YES - YES - - YES @@ -2244,9 +2227,6 @@ YES - YES - - YES @@ -2254,8 +2234,6 @@ NO - NO - MAYBE The portmapper is enabled if the machine has been configured as an NFS client or server earlier in the @@ -2263,7 +2241,6 @@ - YES @@ -2271,11 +2248,8 @@ NO - NO - YES - YES @@ -2291,19 +2265,16 @@ - YES (1) - NO - NO
- The security profile is not a silver bullet! Setting - it high does not mean you do not have to keep up with security + The security profile is not a silver bullet! Even if you use the + extreme setting, you need to keep up with security issues by reading an appropriate mailing list, using good passwords and passphrases, and @@ -2311,6 +2282,7 @@ sets up the desired security to convenience ratio out of the box. + The security profile mechanism is meant to be used --lrZ03NoBR/3+SXJZ-- State-Changed-From-To: open->closed State-Changed-By: dd State-Changed-When: Fri Aug 31 09:24:54 PDT 2001 State-Changed-Why: Patch committed, thanks! http://www.FreeBSD.org/cgi/query-pr.cgi?pr=30203 From: Dima Dorfman To: Michael Lucas Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: docs/30203: description of security profiles in FAQ is just plain wrong Date: Fri, 31 Aug 2001 09:24:50 -0700 Michael Lucas wrote: > On Thu, Aug 30, 2001 at 03:00:25AM -0700, Dima Dorfman wrote: > > Why did all these lines get replaced? > > Because my fingers are trained to automatically type esc-Q. :) > > Is this more like it? Yes. I've applied it after fixing a few minor nits: > --- book.sgml-dist Thu Aug 30 11:10:07 2001 > +++ book.sgml-secprof Thu Aug 30 11:10:03 2001 > @@ -2178,52 +2178,38 @@ ... > - Following is a table that describes what each security > - profile does. The columns are the choices you have for a > - security profile, and the rows are the program or feature that > - is enabled or disabled. > + The following table describes what each of the > + security profiles does. The columns are the choices you "...what each of the security profiles does". The verb (does) doesn't agree in number with the subject (profiles). Or something like that--you get the idea. I'm not an English teacher, so I probably got the terms all wrong. I changed 'does' to 'do'. > > > > Extreme > > - High > - > Moderate > > - Low > Excess vertical whitespace. This ends up looking like: Moderate which is wrong. There are some more caes of this below, which I've also fixed before committing. Thanks! >Unformatted: