Add another security configuration profile, call it "high" and

rename the previous one to indicate that it's not just high, it's
extreme (everything off, secure level raised).

Submitted mostly by:	Tony Finch <dot@dotat.at>

1 files changed, 25 insertions, 0 deletions

diff --git a/usr.sbin/sade/config.c b/usr.sbin/sade/config.c
index 7fd7a64..5c2e24a 100644
--- a/usr.sbin/sade/config.c
+++ b/usr.sbin/sade/config.c
@@ -493,6 +493,31 @@ configSecurityFascist(dialogMenuItem *self)
     /* More fascist stuff should go here */
 
     if (self)
+	msgConfirm("Extreme security settings have been selected.\n\n"
+	    "This means that all \"popular\" network services and\n"
+	    "mechanisms like inetd(8) have been DISABLED by default.\n\n"
+	    "PLEASE NOTE that this still does not save you from having\n"
+	    "to properly secure your system in other ways or exercise\n"
+	    "due diligence in your administration, this simply picks\n"
+	    "a more secure set of out-of-box defaults to start with.\n\n"
+	    "To change any of these settings later, edit /etc/rc.conf");
+
+    restorescr(w);
+    return DITEM_SUCCESS;
+}
+
+int
+configSecurityHigh(dialogMenuItem *self)
+{
+    WINDOW *w = savescr();
+
+    variable_set2("inetd_enable", "NO", 1);
+    variable_set2("sendmail_enable", "YES", 1);
+    variable_set2("sshd_enable", "YES", 1);
+    variable_set2("portmap_enable", "NO", 1);
+    variable_set2("nfs_server_enable", "NO", 1);
+
+    if (self)
 	msgConfirm("High security settings have been selected.\n\n"
 	    "This means that most \"popular\" network services and\n"
 	    "mechanisms like inetd(8) have been DISABLED by default.\n\n"