Tweak "system security profiles:
(1) Don't modify the configuration of the NFS server as a result of
selecting a profile. We already explicitly prompt for the NFS
server configuration during install, and the user may not get
much advance notice that we're turning it off again. Instead,
use profiles (for better or for worse) only for security tuning.
(2) Don't modify the sendmail setting as part of the security profile:
use the default from /etc/defaults/rc.conf rather than explicitly
specifying. Note that the default in /etc/defaults/rc.conf is
more conservative than the explicit rc.conf entry added by
sysinstall during install, as it does not permit SMTP delivery.
(3) Update "congratulations on your profile" text to reflect these
changes.
Note that security profiles now affect only the securelevel and sshd
settings. My leaning would be to make sshd an explicit configuration
option, move securelevels to the security menu, and drop security
profiles entirely. However, that requires more plumbing of sendmail
than I'm currently willing to invest.
We may want to add a "permit SMTP delivery" question to the install
process.
This commit is contained in:
Robert Watson
parent
50028aa7d2
commit
4880db4afd
@ -564,16 +564,14 @@ configSecurityExtreme(dialogMenuItem *self)
|
||||
{
|
||||
WINDOW *w = savescr();
|
||||
|
||||
variable_set2("nfs_server_enable", "NO", 1);
|
||||
variable_set2("sendmail_enable", "NO", 1);
|
||||
variable_set2("sshd_enable", "NO", 1);
|
||||
variable_set2("kern_securelevel_enable", "YES", 1);
|
||||
variable_set2("kern_securelevel", "2", 1);
|
||||
|
||||
if (self)
|
||||
msgConfirm("Extreme security settings have been selected.\n\n"
|
||||
"Sendmail, sshd, and NFS services have been disabled, and\n"
|
||||
"securelevels have been enabled.\n\n"
|
||||
"Sshd has been disabled, and kernel security levels have"
|
||||
"been enabled.\n\n"
|
||||
"PLEASE NOTE that this still does not save you from having\n"
|
||||
"to properly secure your system in other ways or exercise\n"
|
||||
"due diligence in your administration, this simply picks\n"
|
||||
@ -589,14 +587,13 @@ configSecurityModerate(dialogMenuItem *self)
|
||||
{
|
||||
WINDOW *w = savescr();
|
||||
|
||||
variable_set2("sendmail_enable", "YES", 1);
|
||||
variable_set2("sshd_enable", "YES", 1);
|
||||
variable_set2("kern_securelevel_enable", "NO", 1);
|
||||
|
||||
if (self)
|
||||
msgConfirm("Moderate security settings have been selected.\n\n"
|
||||
"Sendmail and sshd have been enabled, securelevels are\n"
|
||||
"disabled, and NFS server settings have been left intact.\n\n"
|
||||
"Sshd has been enabled and kernel securelevels are disabled;\n"
|
||||
"all other settings have been left intact.\n\n"
|
||||
"PLEASE NOTE that this still does not save you from having\n"
|
||||
"to properly secure your system in other ways or exercise\n"
|
||||
"due diligence in your administration, this simply picks\n"
|
||||
|
||||
@ -564,16 +564,14 @@ configSecurityExtreme(dialogMenuItem *self)
|
||||
{
|
||||
WINDOW *w = savescr();
|
||||
|
||||
variable_set2("nfs_server_enable", "NO", 1);
|
||||
variable_set2("sendmail_enable", "NO", 1);
|
||||
variable_set2("sshd_enable", "NO", 1);
|
||||
variable_set2("kern_securelevel_enable", "YES", 1);
|
||||
variable_set2("kern_securelevel", "2", 1);
|
||||
|
||||
if (self)
|
||||
msgConfirm("Extreme security settings have been selected.\n\n"
|
||||
"Sendmail, sshd, and NFS services have been disabled, and\n"
|
||||
"securelevels have been enabled.\n\n"
|
||||
"Sshd has been disabled, and kernel security levels have"
|
||||
"been enabled.\n\n"
|
||||
"PLEASE NOTE that this still does not save you from having\n"
|
||||
"to properly secure your system in other ways or exercise\n"
|
||||
"due diligence in your administration, this simply picks\n"
|
||||
@ -589,14 +587,13 @@ configSecurityModerate(dialogMenuItem *self)
|
||||
{
|
||||
WINDOW *w = savescr();
|
||||
|
||||
variable_set2("sendmail_enable", "YES", 1);
|
||||
variable_set2("sshd_enable", "YES", 1);
|
||||
variable_set2("kern_securelevel_enable", "NO", 1);
|
||||
|
||||
if (self)
|
||||
msgConfirm("Moderate security settings have been selected.\n\n"
|
||||
"Sendmail and sshd have been enabled, securelevels are\n"
|
||||
"disabled, and NFS server settings have been left intact.\n\n"
|
||||
"Sshd has been enabled and kernel securelevels are disabled;\n"
|
||||
"all other settings have been left intact.\n\n"
|
||||
"PLEASE NOTE that this still does not save you from having\n"
|
||||
"to properly secure your system in other ways or exercise\n"
|
||||
"due diligence in your administration, this simply picks\n"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user