d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

o Reduce the number of offered security profiles, as we now have a more

Browse Source 
conservative default, and actually prompt specifically for inetd rather
  than handling it as a side effect of the security profile.  Update the
  help file to reflect this change.
o Rename "Fascist" to "Extreme" in the source code, to match the names
  presented to the user.
o Remove portmap and inetd from profile management.  Portmap is now
  disabled by default, but automatically turned on if a feature requires
  it (such as NFS, etc).

This is an MFC candidate for 4.4-RELEASE.

Reviewed by:	freebsd-arch@FreeBSD.org
Approved by:	re@FreeBSD.org
MFC after:	2 days
This commit is contained in:
Robert Watson 2001-08-10 23:57:43 +00:00
parent 3f085c228e
commit 614af3941d
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=81507
7 changed files with 36 additions and 171 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
usr.sbin/sade/config.c
View File

@ -487,25 +487,22 @@ configSecurityProfile(dialogMenuItem *self)
return DITEM_SUCCESS;
}
/* Use the most fascist security settings */
/* Use the most extreme security settings */
int
configSecurityFascist(dialogMenuItem *self)
configSecurityExtreme(dialogMenuItem *self)
{
WINDOW *w = savescr();
variable_set2("inetd_enable", "NO", 1);
variable_set2("portmap_enable", "NO", 1);
variable_set2("nfs_server_enable", "NO", 1);
variable_set2("sendmail_enable", "NO", 1);
variable_set2("sshd_enable", "NO", 1);
variable_set2("nfs_server_enable", "NO", 1);
variable_set2("kern_securelevel_enable", "YES", 1);
variable_set2("kern_securelevel", "2", 1);
/* More fascist stuff should go here */
if (self)
msgConfirm("Extreme security settings have been selected.\n\n"
"This means that all \"popular\" network services and\n"
"mechanisms like inetd(8) have been DISABLED by default.\n\n"
"Sendmail, SSHd, and NFS services have been disabled, and\n"
"securelevels have been enabled.\n"
"PLEASE NOTE that this still does not save you from having\n"
"to properly secure your system in other ways or exercise\n"
"due diligence in your administration, this simply picks\n"
@ -516,81 +513,23 @@ configSecurityFascist(dialogMenuItem *self)
return DITEM_SUCCESS;
}
int
configSecurityHigh(dialogMenuItem *self)
{
WINDOW *w = savescr();
variable_set2("inetd_enable", "NO", 1);
variable_set2("sendmail_enable", "YES", 1);
variable_set2("sshd_enable", "YES", 1);
variable_set2("portmap_enable", "NO", 1);
variable_set2("nfs_server_enable", "NO", 1);
variable_set2("kern_securelevel_enable", "YES", 1);
variable_set2("kern_securelevel", "1", 1);
if (self)
msgConfirm("High security settings have been selected.\n\n"
"This means that most \"popular\" network services and\n"
"mechanisms like inetd(8) have been DISABLED by default.\n\n"
"PLEASE NOTE that this still does not save you from having\n"
"to properly secure your system in other ways or exercise\n"
"due diligence in your administration, this simply picks\n"
"a more secure set of out-of-box defaults to start with.\n\n"
"To change any of these settings later, edit /etc/rc.conf");
restorescr(w);
return DITEM_SUCCESS;
}
int
configSecurityModerate(dialogMenuItem *self)
{
WINDOW *w = savescr();
variable_set2("inetd_enable", "YES", 1);
if (!variable_cmp("nfs_client_enable", "YES") ||
!variable_cmp("nfs_server_enable", "YES"))
variable_set2("portmap_enable", "YES", 1);
if (!variable_cmp("nfs_server_enable", "YES"))
variable_set2("nfs_reserved_port_only", "YES", 1);
variable_set2("nfs_reserved_port_only", "YES", 1);
variable_set2("sendmail_enable", "YES", 1);
variable_set2("sshd_enable", "YES", 1);
variable_set2("kern_securelevel_enable", "NO", 1);
if (self)
msgConfirm("Moderate security settings have been selected.\n\n"
"This means that most \"popular\" network services and\n"
"mechanisms like inetd(8) have been enabled by default\n"
"for a comfortable user experience but with possible\n"
"trade-offs in system security. If this bothers you and\n"
"you know exactly what you are doing, select one of the\n"
"other security profiles instead.\n\n"
"To change any of these settings later, edit /etc/rc.conf");
restorescr(w);
return DITEM_SUCCESS;
}
int
configSecurityLiberal(dialogMenuItem *self)
{
WINDOW *w = savescr();
variable_set2("inetd_enable", "YES", 1);
variable_set2("portmap_enable", "YES", 1);
variable_set2("sendmail_enable", "YES", 1);
variable_set2("sshd_enable", "YES", 1);
variable_set2("kern_securelevel_enable", "NO", 1);
if (self)
msgConfirm("Liberal security settings have been selected.\n\n"
"This means that most \"popular\" network services and\n"
"mechanisms like inetd(8) have been enabled by default\n"
"for the most comfortable user experience but with possible\n"
"trade-offs in system security. If this bothers you and\n"
"you know exactly what you are doing, select one of the\n"
"other security profiles instead.\n\n"
"Sendmail and SSHd have been enabled, securelevels are\n"
"disabled, and NFS server settings have been left intact.\n"
"PLEASE NOTE that this still does not save you from having\n"
"to properly secure your system in other ways or exercise\n"
"due diligence in your administration, this simply picks\n"
"a standard set of out-of-box defaults to start with.\n\n"
"To change any of these settings later, edit /etc/rc.conf");
restorescr(w);

4
usr.sbin/sade/menus.c
View File

@ -1673,10 +1673,8 @@ DMenu MenuSecurityProfile = {
"Select a canned security profile - F1 for help",
"security", /* help file */
{ { "X Exit", "Exit this menu (returning to previous)", NULL, configSecurityModerate },
{ "Low", "Fairly wide-open (little) security.", NULL, configSecurityLiberal },
{ "Medium", "Moderate security settings [DEFAULT].", NULL, configSecurityModerate },
{ "High", "Fairly safe security settings.", NULL, configSecurityHigh },
{ "Extreme", "Very restrictive security settings.", NULL, configSecurityFascist },
{ "Extreme", "Very restrictive security settings.", NULL, configSecurityExtreme },
{ NULL } },
};

4
usr.sbin/sade/sade.h
View File

@ -451,10 +451,8 @@ extern int configInetd(dialogMenuItem *self);
extern int configNFSServer(dialogMenuItem *self);
extern int configWriteRC_conf(dialogMenuItem *self);
extern int configSecurityProfile(dialogMenuItem *self);
extern int configSecurityFascist(dialogMenuItem *self);
extern int configSecurityHigh(dialogMenuItem *self);
extern int configSecurityExtreme(dialogMenuItem *self);
extern int configSecurityModerate(dialogMenuItem *self);
extern int configSecurityLiberal(dialogMenuItem *self);
extern int configEtcTtys(dialogMenuItem *self);
/* crc.c */

85
usr.sbin/sysinstall/config.c
View File

@ -487,25 +487,22 @@ configSecurityProfile(dialogMenuItem *self)
return DITEM_SUCCESS;
}
/* Use the most fascist security settings */
/* Use the most extreme security settings */
int
configSecurityFascist(dialogMenuItem *self)
configSecurityExtreme(dialogMenuItem *self)
{
WINDOW *w = savescr();
variable_set2("inetd_enable", "NO", 1);
variable_set2("portmap_enable", "NO", 1);
variable_set2("nfs_server_enable", "NO", 1);
variable_set2("sendmail_enable", "NO", 1);
variable_set2("sshd_enable", "NO", 1);
variable_set2("nfs_server_enable", "NO", 1);
variable_set2("kern_securelevel_enable", "YES", 1);
variable_set2("kern_securelevel", "2", 1);
/* More fascist stuff should go here */
if (self)
msgConfirm("Extreme security settings have been selected.\n\n"
"This means that all \"popular\" network services and\n"
"mechanisms like inetd(8) have been DISABLED by default.\n\n"
"Sendmail, SSHd, and NFS services have been disabled, and\n"
"securelevels have been enabled.\n"
"PLEASE NOTE that this still does not save you from having\n"
"to properly secure your system in other ways or exercise\n"
"due diligence in your administration, this simply picks\n"
@ -516,81 +513,23 @@ configSecurityFascist(dialogMenuItem *self)
return DITEM_SUCCESS;
}
int
configSecurityHigh(dialogMenuItem *self)
{
WINDOW *w = savescr();
variable_set2("inetd_enable", "NO", 1);
variable_set2("sendmail_enable", "YES", 1);
variable_set2("sshd_enable", "YES", 1);
variable_set2("portmap_enable", "NO", 1);
variable_set2("nfs_server_enable", "NO", 1);
variable_set2("kern_securelevel_enable", "YES", 1);
variable_set2("kern_securelevel", "1", 1);
if (self)
msgConfirm("High security settings have been selected.\n\n"
"This means that most \"popular\" network services and\n"
"mechanisms like inetd(8) have been DISABLED by default.\n\n"
"PLEASE NOTE that this still does not save you from having\n"
"to properly secure your system in other ways or exercise\n"
"due diligence in your administration, this simply picks\n"
"a more secure set of out-of-box defaults to start with.\n\n"
"To change any of these settings later, edit /etc/rc.conf");
restorescr(w);
return DITEM_SUCCESS;
}
int
configSecurityModerate(dialogMenuItem *self)
{
WINDOW *w = savescr();
variable_set2("inetd_enable", "YES", 1);
if (!variable_cmp("nfs_client_enable", "YES") ||
!variable_cmp("nfs_server_enable", "YES"))
variable_set2("portmap_enable", "YES", 1);
if (!variable_cmp("nfs_server_enable", "YES"))
variable_set2("nfs_reserved_port_only", "YES", 1);
variable_set2("nfs_reserved_port_only", "YES", 1);
variable_set2("sendmail_enable", "YES", 1);
variable_set2("sshd_enable", "YES", 1);
variable_set2("kern_securelevel_enable", "NO", 1);
if (self)
msgConfirm("Moderate security settings have been selected.\n\n"
"This means that most \"popular\" network services and\n"
"mechanisms like inetd(8) have been enabled by default\n"
"for a comfortable user experience but with possible\n"
"trade-offs in system security. If this bothers you and\n"
"you know exactly what you are doing, select one of the\n"
"other security profiles instead.\n\n"
"To change any of these settings later, edit /etc/rc.conf");
restorescr(w);
return DITEM_SUCCESS;
}
int
configSecurityLiberal(dialogMenuItem *self)
{
WINDOW *w = savescr();
variable_set2("inetd_enable", "YES", 1);
variable_set2("portmap_enable", "YES", 1);
variable_set2("sendmail_enable", "YES", 1);
variable_set2("sshd_enable", "YES", 1);
variable_set2("kern_securelevel_enable", "NO", 1);
if (self)
msgConfirm("Liberal security settings have been selected.\n\n"
"This means that most \"popular\" network services and\n"
"mechanisms like inetd(8) have been enabled by default\n"
"for the most comfortable user experience but with possible\n"
"trade-offs in system security. If this bothers you and\n"
"you know exactly what you are doing, select one of the\n"
"other security profiles instead.\n\n"
"Sendmail and SSHd have been enabled, securelevels are\n"
"disabled, and NFS server settings have been left intact.\n"
"PLEASE NOTE that this still does not save you from having\n"
"to properly secure your system in other ways or exercise\n"
"due diligence in your administration, this simply picks\n"
"a standard set of out-of-box defaults to start with.\n\n"
"To change any of these settings later, edit /etc/rc.conf");
restorescr(w);

21
usr.sbin/sysinstall/help/security.hlp
View File

@ -3,19 +3,14 @@ profiles. The following table is intended to give you a rough idea just
which services are enabled (or disabled) by each of the canned security
profiles:
Extreme High Medium Low
------- ---- -------- ---
inetd NO NO YES YES
sendmail NO YES YES YES
sshd NO YES YES YES
portmap NO NO * YES
nfs_server NO NO ** ***
securelevel YES (2) YES (1) NO NO
Extreme Medium
------- ------
nfs_server NO *
sendmail NO YES
sshd NO YES
securelevel YES (2) NO
NOTES:
* Portmap is enabled if the machine has been configured as either an NFS
client or an NFS server earlier in the installation process.
** If the machine has been configured as an NFS server, NFS will only run
on a reserved port.
*** No changes are made to the NFS configuration.
* If the machine has been configured as an NFS server, NFS will only run
on a reserved port.

4
usr.sbin/sysinstall/menus.c
View File

@ -1673,10 +1673,8 @@ DMenu MenuSecurityProfile = {
"Select a canned security profile - F1 for help",
"security", /* help file */
{ { "X Exit", "Exit this menu (returning to previous)", NULL, configSecurityModerate },
{ "Low", "Fairly wide-open (little) security.", NULL, configSecurityLiberal },
{ "Medium", "Moderate security settings [DEFAULT].", NULL, configSecurityModerate },
{ "High", "Fairly safe security settings.", NULL, configSecurityHigh },
{ "Extreme", "Very restrictive security settings.", NULL, configSecurityFascist },
{ "Extreme", "Very restrictive security settings.", NULL, configSecurityExtreme },
{ NULL } },
};

4
usr.sbin/sysinstall/sysinstall.h
View File

@ -451,10 +451,8 @@ extern int configInetd(dialogMenuItem *self);
extern int configNFSServer(dialogMenuItem *self);
extern int configWriteRC_conf(dialogMenuItem *self);
extern int configSecurityProfile(dialogMenuItem *self);
extern int configSecurityFascist(dialogMenuItem *self);
extern int configSecurityHigh(dialogMenuItem *self);
extern int configSecurityExtreme(dialogMenuItem *self);
extern int configSecurityModerate(dialogMenuItem *self);
extern int configSecurityLiberal(dialogMenuItem *self);
extern int configEtcTtys(dialogMenuItem *self);
/* crc.c */