From 4880db4afd770d659b61bc56ead564cf112b7717 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Sun, 28 Sep 2003 05:21:23 +0000 Subject: [PATCH] Tweak "system security profiles: (1) Don't modify the configuration of the NFS server as a result of selecting a profile. We already explicitly prompt for the NFS server configuration during install, and the user may not get much advance notice that we're turning it off again. Instead, use profiles (for better or for worse) only for security tuning. (2) Don't modify the sendmail setting as part of the security profile: use the default from /etc/defaults/rc.conf rather than explicitly specifying. Note that the default in /etc/defaults/rc.conf is more conservative than the explicit rc.conf entry added by sysinstall during install, as it does not permit SMTP delivery. (3) Update "congratulations on your profile" text to reflect these changes. Note that security profiles now affect only the securelevel and sshd settings. My leaning would be to make sshd an explicit configuration option, move securelevels to the security menu, and drop security profiles entirely. However, that requires more plumbing of sendmail than I'm currently willing to invest. We may want to add a "permit SMTP delivery" question to the install process. --- usr.sbin/sade/config.c | 11 ++++------- usr.sbin/sysinstall/config.c | 11 ++++------- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/usr.sbin/sade/config.c b/usr.sbin/sade/config.c index 5c6d12a270a4..b67e5aa6233a 100644 --- a/usr.sbin/sade/config.c +++ b/usr.sbin/sade/config.c @@ -564,16 +564,14 @@ configSecurityExtreme(dialogMenuItem *self) { WINDOW *w = savescr(); - variable_set2("nfs_server_enable", "NO", 1); - variable_set2("sendmail_enable", "NO", 1); variable_set2("sshd_enable", "NO", 1); variable_set2("kern_securelevel_enable", "YES", 1); variable_set2("kern_securelevel", "2", 1); if (self) msgConfirm("Extreme security settings have been selected.\n\n" - "Sendmail, sshd, and NFS services have been disabled, and\n" - "securelevels have been enabled.\n\n" + "Sshd has been disabled, and kernel security levels have" + "been enabled.\n\n" "PLEASE NOTE that this still does not save you from having\n" "to properly secure your system in other ways or exercise\n" "due diligence in your administration, this simply picks\n" @@ -589,14 +587,13 @@ configSecurityModerate(dialogMenuItem *self) { WINDOW *w = savescr(); - variable_set2("sendmail_enable", "YES", 1); variable_set2("sshd_enable", "YES", 1); variable_set2("kern_securelevel_enable", "NO", 1); if (self) msgConfirm("Moderate security settings have been selected.\n\n" - "Sendmail and sshd have been enabled, securelevels are\n" - "disabled, and NFS server settings have been left intact.\n\n" + "Sshd has been enabled and kernel securelevels are disabled;\n" + "all other settings have been left intact.\n\n" "PLEASE NOTE that this still does not save you from having\n" "to properly secure your system in other ways or exercise\n" "due diligence in your administration, this simply picks\n" diff --git a/usr.sbin/sysinstall/config.c b/usr.sbin/sysinstall/config.c index 5c6d12a270a4..b67e5aa6233a 100644 --- a/usr.sbin/sysinstall/config.c +++ b/usr.sbin/sysinstall/config.c @@ -564,16 +564,14 @@ configSecurityExtreme(dialogMenuItem *self) { WINDOW *w = savescr(); - variable_set2("nfs_server_enable", "NO", 1); - variable_set2("sendmail_enable", "NO", 1); variable_set2("sshd_enable", "NO", 1); variable_set2("kern_securelevel_enable", "YES", 1); variable_set2("kern_securelevel", "2", 1); if (self) msgConfirm("Extreme security settings have been selected.\n\n" - "Sendmail, sshd, and NFS services have been disabled, and\n" - "securelevels have been enabled.\n\n" + "Sshd has been disabled, and kernel security levels have" + "been enabled.\n\n" "PLEASE NOTE that this still does not save you from having\n" "to properly secure your system in other ways or exercise\n" "due diligence in your administration, this simply picks\n" @@ -589,14 +587,13 @@ configSecurityModerate(dialogMenuItem *self) { WINDOW *w = savescr(); - variable_set2("sendmail_enable", "YES", 1); variable_set2("sshd_enable", "YES", 1); variable_set2("kern_securelevel_enable", "NO", 1); if (self) msgConfirm("Moderate security settings have been selected.\n\n" - "Sendmail and sshd have been enabled, securelevels are\n" - "disabled, and NFS server settings have been left intact.\n\n" + "Sshd has been enabled and kernel securelevels are disabled;\n" + "all other settings have been left intact.\n\n" "PLEASE NOTE that this still does not save you from having\n" "to properly secure your system in other ways or exercise\n" "due diligence in your administration, this simply picks\n"