diff options
author | Jordan K. Hubbard <jkh@FreeBSD.org> | 2000-09-22 19:12:41 +0000 |
---|---|---|
committer | Jordan K. Hubbard <jkh@FreeBSD.org> | 2000-09-22 19:12:41 +0000 |
commit | b9d13dac472e7f33219e3180feb658f2a31513d0 (patch) | |
tree | 6e57b91c9f4ea234ef6432218946e4085ccfb0bf /usr.sbin/sysinstall/config.c | |
parent | 7d326fa79383307aa72aff5509a14e83359baf5f (diff) | |
download | src-b9d13dac472e7f33219e3180feb658f2a31513d0.tar.gz src-b9d13dac472e7f33219e3180feb658f2a31513d0.zip |
One whack at the idea of having "security profiles" which select the
appropriate(?) defaults for "low", "medium" and "high" security
environments. Medium is basically what we currently have with a little
seat-belt tightening where it made sense. Low is the same as medium but
without the tightening. High is positively fascist with nothing turned
on by default and an automatic call to 911 if it can find a modem.
Notes
Notes:
svn path=/head/; revision=66263
Diffstat (limited to 'usr.sbin/sysinstall/config.c')
-rw-r--r-- | usr.sbin/sysinstall/config.c | 93 |
1 files changed, 89 insertions, 4 deletions
diff --git a/usr.sbin/sysinstall/config.c b/usr.sbin/sysinstall/config.c index 8ce295ba0e14..cf37e946e899 100644 --- a/usr.sbin/sysinstall/config.c +++ b/usr.sbin/sysinstall/config.c @@ -388,10 +388,6 @@ configRC_conf(void) fprintf(rcSite, "# This file now contains just the overrides from /etc/defaults/rc.conf\n"); fprintf(rcSite, "# please make all changes to this file.\n\n"); fprintf(rcSite, "# Enable network daemons for user convenience.\n"); - fprintf(rcSite, "inetd_enable=\"YES\"\n"); - fprintf(rcSite, "portmap_enable=\"YES\"\n"); - fprintf(rcSite, "sendmail_enable=\"YES\"\n"); - fprintf(rcSite, "sshd_enable=\"YES\"\n"); } /* Now do variable substitutions */ @@ -470,6 +466,95 @@ configLinux(dialogMenuItem *self) return i; } +int +configSecurityProfile(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + dialog_clear_norefresh(); + dmenuOpenSimple(&MenuSecurityProfile, FALSE); + restorescr(w); + return DITEM_SUCCESS; +} + +/* Use the most fascist security settings */ +int +configSecurityFascist(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "NO", 1); + variable_set2("portmap_enable", "NO", 1); + variable_set2("sendmail_enable", "NO", 1); + variable_set2("sshd_enable", "NO", 1); + variable_set2("nfs_server_enable", "NO", 1); + variable_set2("kern_securelevel_enable", "YES", 1); + variable_set2("kern_securelevel", "2", 1); + /* More fascist stuff should go here */ + + msgConfirm("High security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been DISABLED by default.\n\n" + "PLEASE NOTE that this still does not save you from having\n" + "to properly secure your system in other ways or exercise\n" + "due diligence in your administration, this simply picks\n" + "a more secure set of out-of-box defaults to start with.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityModerate(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + if (!variable_cmp("nfs_client_enable", "YES") || + !variable_cmp("nfs_server_enable", "YES")) + variable_set2("portmap_enable", "YES", 1); + if (!variable_cmp("nfs_server_enable", "YES")) + variable_set2("nfs_reserved_port_only", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Moderate security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for a comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you and\n" + "you know exactly what you are doing, select the high\n" + "high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityLiberal(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + variable_set2("portmap_enable", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Liberal security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for the most comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you, select\n" + "the medium security profile or, if you know exactly what you\n" + "are doing, the high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + static void write_root_xprofile(char *str) { |