Add another security configuration profile, call it "high" and

rename the previous one to indicate that it's not just high, it's
extreme (everything off, secure level raised).

Submitted mostly by:	Tony Finch <dot@dotat.at>

3 files changed, 28 insertions, 1 deletions

diff --git a/usr.sbin/sade/config.c b/usr.sbin/sade/config.c
index 7fd7a64..5c2e24a 100644
--- a/usr.sbin/sade/config.c
+++ b/usr.sbin/sade/config.c
@@ -493,6 +493,31 @@ configSecurityFascist(dialogMenuItem *self)
     /* More fascist stuff should go here */
 
     if (self)
+	msgConfirm("Extreme security settings have been selected.\n\n"
+	    "This means that all \"popular\" network services and\n"
+	    "mechanisms like inetd(8) have been DISABLED by default.\n\n"
+	    "PLEASE NOTE that this still does not save you from having\n"
+	    "to properly secure your system in other ways or exercise\n"
+	    "due diligence in your administration, this simply picks\n"
+	    "a more secure set of out-of-box defaults to start with.\n\n"
+	    "To change any of these settings later, edit /etc/rc.conf");
+
+    restorescr(w);
+    return DITEM_SUCCESS;
+}
+
+int
+configSecurityHigh(dialogMenuItem *self)
+{
+    WINDOW *w = savescr();
+
+    variable_set2("inetd_enable", "NO", 1);
+    variable_set2("sendmail_enable", "YES", 1);
+    variable_set2("sshd_enable", "YES", 1);
+    variable_set2("portmap_enable", "NO", 1);
+    variable_set2("nfs_server_enable", "NO", 1);
+
+    if (self)
 	msgConfirm("High security settings have been selected.\n\n"
 	    "This means that most \"popular\" network services and\n"
 	    "mechanisms like inetd(8) have been DISABLED by default.\n\n"
diff --git a/usr.sbin/sade/menus.c b/usr.sbin/sade/menus.c
index aa8e8d1..c4d1e90 100644
--- a/usr.sbin/sade/menus.c
+++ b/usr.sbin/sade/menus.c
@@ -1607,7 +1607,8 @@ DMenu MenuSecurityProfile = {
     { { "X Exit",	"Exit this menu (returning to previous)", NULL, configSecurityModerate },
       { "Low",		"Fairly wide-open (little) security.", NULL, configSecurityLiberal },
       { "Medium",	"Moderate security settings [DEFAULT].", NULL, configSecurityModerate },
-      { "High",		"Very restrictive security settings.", NULL, configSecurityFascist },
+      { "High",		"Fairly safe security settings.", NULL, configSecurityHigh },
+      { "Extreme",	"Very restrictive security settings.", NULL, configSecurityFascist },
       { NULL } },
 };
 
diff --git a/usr.sbin/sade/sade.h b/usr.sbin/sade/sade.h
index ba9f7b9..048a5e7 100644
--- a/usr.sbin/sade/sade.h
+++ b/usr.sbin/sade/sade.h
@@ -446,6 +446,7 @@ extern int	configNFSServer(dialogMenuItem *self);
 extern int	configWriteRC_conf(dialogMenuItem *self);
 extern int	configSecurityProfile(dialogMenuItem *self);
 extern int	configSecurityFascist(dialogMenuItem *self);
+extern int	configSecurityHigh(dialogMenuItem *self);
 extern int	configSecurityModerate(dialogMenuItem *self);
 extern int	configSecurityLiberal(dialogMenuItem *self);