diff options
author | rwatson <rwatson@FreeBSD.org> | 2003-11-28 18:47:45 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2003-11-28 18:47:45 +0000 |
commit | e983c8d12df02353a044c03cba700a236381ae1f (patch) | |
tree | 7438a7ba82574b8c95f31336320c09863c426e53 /usr.sbin | |
parent | 769360c4407229ea650d8944b6bdd883adcdf365 (diff) | |
download | FreeBSD-src-e983c8d12df02353a044c03cba700a236381ae1f.zip FreeBSD-src-e983c8d12df02353a044c03cba700a236381ae1f.tar.gz |
Remove security profiles from sysinstall. Currently, security profile
selection is used to drive two configuration parameters:
(1) Default enable/disable for sshd
(2) Default enable/disable for securelevels
Replace this with an explicit choice to enable/disable sshd. A
follow-up commit will add a configuration option to the Security
post-install configuration menu to set the securelevel in rc.conf
explicitly. This should reduce the level of foot-shooting associated
with accidental enabling of securelevels, make the nature and
implications of the securelevel configuration options more explicit,
as well as make the choice to enable/disable sshd more explicit.
Approved by: re (scottl)
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/sade/config.c | 57 | ||||
-rw-r--r-- | usr.sbin/sade/install.c | 15 | ||||
-rw-r--r-- | usr.sbin/sade/menus.c | 18 | ||||
-rw-r--r-- | usr.sbin/sade/sade.h | 4 | ||||
-rw-r--r-- | usr.sbin/sysinstall/config.c | 57 | ||||
-rw-r--r-- | usr.sbin/sysinstall/help/security.hlp | 10 | ||||
-rw-r--r-- | usr.sbin/sysinstall/install.c | 15 | ||||
-rw-r--r-- | usr.sbin/sysinstall/menus.c | 18 | ||||
-rw-r--r-- | usr.sbin/sysinstall/sysinstall.h | 4 |
9 files changed, 10 insertions, 188 deletions
diff --git a/usr.sbin/sade/config.c b/usr.sbin/sade/config.c index b67e5aa6..570cb61 100644 --- a/usr.sbin/sade/config.c +++ b/usr.sbin/sade/config.c @@ -547,63 +547,6 @@ configSecurity(dialogMenuItem *self) return DITEM_SUCCESS; } -int -configSecurityProfile(dialogMenuItem *self) -{ - WINDOW *w = savescr(); - - dialog_clear_norefresh(); - dmenuOpenSimple(&MenuSecurityProfile, FALSE); - restorescr(w); - return DITEM_SUCCESS; -} - -/* Use the most extreme security settings */ -int -configSecurityExtreme(dialogMenuItem *self) -{ - WINDOW *w = savescr(); - - variable_set2("sshd_enable", "NO", 1); - variable_set2("kern_securelevel_enable", "YES", 1); - variable_set2("kern_securelevel", "2", 1); - - if (self) - msgConfirm("Extreme security settings have been selected.\n\n" - "Sshd has been disabled, and kernel security levels have" - "been enabled.\n\n" - "PLEASE NOTE that this still does not save you from having\n" - "to properly secure your system in other ways or exercise\n" - "due diligence in your administration, this simply picks\n" - "a more secure set of out-of-box defaults to start with.\n\n" - "To change any of these settings later, edit /etc/rc.conf"); - - restorescr(w); - return DITEM_SUCCESS; -} - -int -configSecurityModerate(dialogMenuItem *self) -{ - WINDOW *w = savescr(); - - variable_set2("sshd_enable", "YES", 1); - variable_set2("kern_securelevel_enable", "NO", 1); - - if (self) - msgConfirm("Moderate security settings have been selected.\n\n" - "Sshd has been enabled and kernel securelevels are disabled;\n" - "all other settings have been left intact.\n\n" - "PLEASE NOTE that this still does not save you from having\n" - "to properly secure your system in other ways or exercise\n" - "due diligence in your administration, this simply picks\n" - "a standard set of out-of-box defaults to start with.\n\n" - "To change any of these settings later, edit /etc/rc.conf"); - - restorescr(w); - return DITEM_SUCCESS; -} - static void write_root_xprofile(char *str) { diff --git a/usr.sbin/sade/install.c b/usr.sbin/sade/install.c index 4d063d2..3d5a7bd 100644 --- a/usr.sbin/sade/install.c +++ b/usr.sbin/sade/install.c @@ -529,8 +529,6 @@ installExpress(dialogMenuItem *self) if (DITEM_STATUS((i = installCommit(self))) == DITEM_SUCCESS) { i |= DITEM_LEAVE_MENU; - /* Set default security level */ - configSecurityModerate(NULL); /* Give user the option of one last configuration spree */ installConfigure(); @@ -622,6 +620,10 @@ nodisks: configInetd(self); dialog_clear_norefresh(); + if (!msgNoYes("Would you like to enable SSH login?")) + variable_set2("sshd_enable", "YES", 1); + + dialog_clear_norefresh(); if (!msgNoYes("Do you want to have anonymous FTP access to this machine?")) configAnonFTP(self); @@ -633,12 +635,6 @@ nodisks: if (!msgNoYes("Do you want to configure this machine as an NFS client?")) variable_set2("nfs_client_enable", "YES", 1); - if (!msgNoYes("Do you want to select a default security profile for\n" - "this host (select No for \"moderate\" security)?")) - configSecurityProfile(self); - else - configSecurityModerate(self); - #ifdef WITH_SYSCONS dialog_clear_norefresh(); if (!msgNoYes("Would you like to customize your system console settings?")) @@ -720,9 +716,6 @@ installCustomCommit(dialogMenuItem *self) i = installCommit(self); if (DITEM_STATUS(i) == DITEM_SUCCESS) { - /* Set default security level */ - configSecurityModerate(NULL); - /* Give user the option of one last configuration spree */ installConfigure(); return i; diff --git a/usr.sbin/sade/menus.c b/usr.sbin/sade/menus.c index 1bb348d..ef4608c 100644 --- a/usr.sbin/sade/menus.c +++ b/usr.sbin/sade/menus.c @@ -1469,7 +1469,7 @@ DMenu MenuNetworking = { dmenuVarCheck, configRouter, NULL, "router_enable=YES" }, { " Rwhod", "This machine wants to run the rwho daemon", dmenuVarCheck, dmenuToggleVariable, NULL, "rwhod_enable=YES" }, - { " Sshd", "This machine wants to run the ssh daemon", + { " SSHd", "This machine wants to run the SSH daemon", dmenuVarCheck, dmenuToggleVariable, NULL, "sshd_enable=YES" }, { " TCP Extensions", "Allow RFC1323 and RFC1644 TCP extensions?", dmenuVarCheck, dmenuToggleVariable, NULL, "tcp_extensions=YES" }, @@ -2229,8 +2229,6 @@ DMenu MenuSecurity = { NULL, { { "X Exit", "Exit this menu (returning to previous)", checkTrue, dmenuExit, NULL, NULL, '<', '<', '<' }, - { " Security Profile", "Select a security profile for the system", - NULL, configSecurityProfile }, #if 0 { " LOMAC", "Use Low Watermark Mandatory Access Control at boot", dmenuVarCheck, dmenuToggleVariable, NULL, "lomac_enable=YES" }, @@ -2240,20 +2238,6 @@ DMenu MenuSecurity = { { NULL } }, }; -DMenu MenuSecurityProfile = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Default system security profile", - "Each item in this list will set what it considers to\n" - "be \"appropriate\" values in that category for various\n" - "security-related knobs in /etc/rc.conf.", - "Select a canned security profile - F1 for help", - "security", /* help file */ - { { "X Exit", "Exit this menu (returning to previous)", NULL, dmenuExit }, - { "Moderate", "Moderate security settings.", NULL, configSecurityModerate }, - { "Extreme", "Very restrictive security settings.", NULL, configSecurityExtreme }, - { NULL } }, -}; - DMenu MenuFixit = { DMENU_NORMAL_TYPE, "Please choose a fixit option", diff --git a/usr.sbin/sade/sade.h b/usr.sbin/sade/sade.h index 14fbc74..9ba8336 100644 --- a/usr.sbin/sade/sade.h +++ b/usr.sbin/sade/sade.h @@ -452,7 +452,6 @@ extern DMenu MenuMediaTape; /* Tape media menu */ extern DMenu MenuNetworkDevice; /* Network device menu */ extern DMenu MenuNTP; /* NTP time server menu */ extern DMenu MenuSecurity; /* System security options menu */ -extern DMenu MenuSecurityProfile; /* Security profile menu */ extern DMenu MenuStartup; /* Startup services menu */ #ifdef WITH_SYSCONS extern DMenu MenuSyscons; /* System console configuration menu */ @@ -532,9 +531,6 @@ extern int configMTAPostfix(dialogMenuItem *self); extern int configMTAExim(dialogMenuItem *self); extern int configRpcBind(dialogMenuItem *self); extern int configWriteRC_conf(dialogMenuItem *self); -extern int configSecurityProfile(dialogMenuItem *self); -extern int configSecurityExtreme(dialogMenuItem *self); -extern int configSecurityModerate(dialogMenuItem *self); extern int configEtcTtys(dialogMenuItem *self); #ifdef __i386__ extern int checkLoaderACPI(void); diff --git a/usr.sbin/sysinstall/config.c b/usr.sbin/sysinstall/config.c index b67e5aa6..570cb61 100644 --- a/usr.sbin/sysinstall/config.c +++ b/usr.sbin/sysinstall/config.c @@ -547,63 +547,6 @@ configSecurity(dialogMenuItem *self) return DITEM_SUCCESS; } -int -configSecurityProfile(dialogMenuItem *self) -{ - WINDOW *w = savescr(); - - dialog_clear_norefresh(); - dmenuOpenSimple(&MenuSecurityProfile, FALSE); - restorescr(w); - return DITEM_SUCCESS; -} - -/* Use the most extreme security settings */ -int -configSecurityExtreme(dialogMenuItem *self) -{ - WINDOW *w = savescr(); - - variable_set2("sshd_enable", "NO", 1); - variable_set2("kern_securelevel_enable", "YES", 1); - variable_set2("kern_securelevel", "2", 1); - - if (self) - msgConfirm("Extreme security settings have been selected.\n\n" - "Sshd has been disabled, and kernel security levels have" - "been enabled.\n\n" - "PLEASE NOTE that this still does not save you from having\n" - "to properly secure your system in other ways or exercise\n" - "due diligence in your administration, this simply picks\n" - "a more secure set of out-of-box defaults to start with.\n\n" - "To change any of these settings later, edit /etc/rc.conf"); - - restorescr(w); - return DITEM_SUCCESS; -} - -int -configSecurityModerate(dialogMenuItem *self) -{ - WINDOW *w = savescr(); - - variable_set2("sshd_enable", "YES", 1); - variable_set2("kern_securelevel_enable", "NO", 1); - - if (self) - msgConfirm("Moderate security settings have been selected.\n\n" - "Sshd has been enabled and kernel securelevels are disabled;\n" - "all other settings have been left intact.\n\n" - "PLEASE NOTE that this still does not save you from having\n" - "to properly secure your system in other ways or exercise\n" - "due diligence in your administration, this simply picks\n" - "a standard set of out-of-box defaults to start with.\n\n" - "To change any of these settings later, edit /etc/rc.conf"); - - restorescr(w); - return DITEM_SUCCESS; -} - static void write_root_xprofile(char *str) { diff --git a/usr.sbin/sysinstall/help/security.hlp b/usr.sbin/sysinstall/help/security.hlp deleted file mode 100644 index 33e52e2..0000000 --- a/usr.sbin/sysinstall/help/security.hlp +++ /dev/null @@ -1,10 +0,0 @@ -Please see the FreeBSD FAQ for more detailed information on security -profiles. The following table is intended to give you a rough idea just -which services are enabled (or disabled) by each of the canned security -profiles: - - Extreme Medium - ------- ------ -sendmail NO YES -sshd NO YES -securelevel YES (2) NO diff --git a/usr.sbin/sysinstall/install.c b/usr.sbin/sysinstall/install.c index 4d063d2..3d5a7bd 100644 --- a/usr.sbin/sysinstall/install.c +++ b/usr.sbin/sysinstall/install.c @@ -529,8 +529,6 @@ installExpress(dialogMenuItem *self) if (DITEM_STATUS((i = installCommit(self))) == DITEM_SUCCESS) { i |= DITEM_LEAVE_MENU; - /* Set default security level */ - configSecurityModerate(NULL); /* Give user the option of one last configuration spree */ installConfigure(); @@ -622,6 +620,10 @@ nodisks: configInetd(self); dialog_clear_norefresh(); + if (!msgNoYes("Would you like to enable SSH login?")) + variable_set2("sshd_enable", "YES", 1); + + dialog_clear_norefresh(); if (!msgNoYes("Do you want to have anonymous FTP access to this machine?")) configAnonFTP(self); @@ -633,12 +635,6 @@ nodisks: if (!msgNoYes("Do you want to configure this machine as an NFS client?")) variable_set2("nfs_client_enable", "YES", 1); - if (!msgNoYes("Do you want to select a default security profile for\n" - "this host (select No for \"moderate\" security)?")) - configSecurityProfile(self); - else - configSecurityModerate(self); - #ifdef WITH_SYSCONS dialog_clear_norefresh(); if (!msgNoYes("Would you like to customize your system console settings?")) @@ -720,9 +716,6 @@ installCustomCommit(dialogMenuItem *self) i = installCommit(self); if (DITEM_STATUS(i) == DITEM_SUCCESS) { - /* Set default security level */ - configSecurityModerate(NULL); - /* Give user the option of one last configuration spree */ installConfigure(); return i; diff --git a/usr.sbin/sysinstall/menus.c b/usr.sbin/sysinstall/menus.c index 1bb348d..ef4608c 100644 --- a/usr.sbin/sysinstall/menus.c +++ b/usr.sbin/sysinstall/menus.c @@ -1469,7 +1469,7 @@ DMenu MenuNetworking = { dmenuVarCheck, configRouter, NULL, "router_enable=YES" }, { " Rwhod", "This machine wants to run the rwho daemon", dmenuVarCheck, dmenuToggleVariable, NULL, "rwhod_enable=YES" }, - { " Sshd", "This machine wants to run the ssh daemon", + { " SSHd", "This machine wants to run the SSH daemon", dmenuVarCheck, dmenuToggleVariable, NULL, "sshd_enable=YES" }, { " TCP Extensions", "Allow RFC1323 and RFC1644 TCP extensions?", dmenuVarCheck, dmenuToggleVariable, NULL, "tcp_extensions=YES" }, @@ -2229,8 +2229,6 @@ DMenu MenuSecurity = { NULL, { { "X Exit", "Exit this menu (returning to previous)", checkTrue, dmenuExit, NULL, NULL, '<', '<', '<' }, - { " Security Profile", "Select a security profile for the system", - NULL, configSecurityProfile }, #if 0 { " LOMAC", "Use Low Watermark Mandatory Access Control at boot", dmenuVarCheck, dmenuToggleVariable, NULL, "lomac_enable=YES" }, @@ -2240,20 +2238,6 @@ DMenu MenuSecurity = { { NULL } }, }; -DMenu MenuSecurityProfile = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Default system security profile", - "Each item in this list will set what it considers to\n" - "be \"appropriate\" values in that category for various\n" - "security-related knobs in /etc/rc.conf.", - "Select a canned security profile - F1 for help", - "security", /* help file */ - { { "X Exit", "Exit this menu (returning to previous)", NULL, dmenuExit }, - { "Moderate", "Moderate security settings.", NULL, configSecurityModerate }, - { "Extreme", "Very restrictive security settings.", NULL, configSecurityExtreme }, - { NULL } }, -}; - DMenu MenuFixit = { DMENU_NORMAL_TYPE, "Please choose a fixit option", diff --git a/usr.sbin/sysinstall/sysinstall.h b/usr.sbin/sysinstall/sysinstall.h index 14fbc74..9ba8336 100644 --- a/usr.sbin/sysinstall/sysinstall.h +++ b/usr.sbin/sysinstall/sysinstall.h @@ -452,7 +452,6 @@ extern DMenu MenuMediaTape; /* Tape media menu */ extern DMenu MenuNetworkDevice; /* Network device menu */ extern DMenu MenuNTP; /* NTP time server menu */ extern DMenu MenuSecurity; /* System security options menu */ -extern DMenu MenuSecurityProfile; /* Security profile menu */ extern DMenu MenuStartup; /* Startup services menu */ #ifdef WITH_SYSCONS extern DMenu MenuSyscons; /* System console configuration menu */ @@ -532,9 +531,6 @@ extern int configMTAPostfix(dialogMenuItem *self); extern int configMTAExim(dialogMenuItem *self); extern int configRpcBind(dialogMenuItem *self); extern int configWriteRC_conf(dialogMenuItem *self); -extern int configSecurityProfile(dialogMenuItem *self); -extern int configSecurityExtreme(dialogMenuItem *self); -extern int configSecurityModerate(dialogMenuItem *self); extern int configEtcTtys(dialogMenuItem *self); #ifdef __i386__ extern int checkLoaderACPI(void); |