summaryrefslogtreecommitdiffstats
path: root/usr.sbin
diff options
context:
space:
mode:
authorrwatson <rwatson@FreeBSD.org>2003-11-28 18:47:45 +0000
committerrwatson <rwatson@FreeBSD.org>2003-11-28 18:47:45 +0000
commite983c8d12df02353a044c03cba700a236381ae1f (patch)
tree7438a7ba82574b8c95f31336320c09863c426e53 /usr.sbin
parent769360c4407229ea650d8944b6bdd883adcdf365 (diff)
downloadFreeBSD-src-e983c8d12df02353a044c03cba700a236381ae1f.zip
FreeBSD-src-e983c8d12df02353a044c03cba700a236381ae1f.tar.gz
Remove security profiles from sysinstall. Currently, security profile
selection is used to drive two configuration parameters: (1) Default enable/disable for sshd (2) Default enable/disable for securelevels Replace this with an explicit choice to enable/disable sshd. A follow-up commit will add a configuration option to the Security post-install configuration menu to set the securelevel in rc.conf explicitly. This should reduce the level of foot-shooting associated with accidental enabling of securelevels, make the nature and implications of the securelevel configuration options more explicit, as well as make the choice to enable/disable sshd more explicit. Approved by: re (scottl)
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/sade/config.c57
-rw-r--r--usr.sbin/sade/install.c15
-rw-r--r--usr.sbin/sade/menus.c18
-rw-r--r--usr.sbin/sade/sade.h4
-rw-r--r--usr.sbin/sysinstall/config.c57
-rw-r--r--usr.sbin/sysinstall/help/security.hlp10
-rw-r--r--usr.sbin/sysinstall/install.c15
-rw-r--r--usr.sbin/sysinstall/menus.c18
-rw-r--r--usr.sbin/sysinstall/sysinstall.h4
9 files changed, 10 insertions, 188 deletions
diff --git a/usr.sbin/sade/config.c b/usr.sbin/sade/config.c
index b67e5aa6..570cb61 100644
--- a/usr.sbin/sade/config.c
+++ b/usr.sbin/sade/config.c
@@ -547,63 +547,6 @@ configSecurity(dialogMenuItem *self)
return DITEM_SUCCESS;
}
-int
-configSecurityProfile(dialogMenuItem *self)
-{
- WINDOW *w = savescr();
-
- dialog_clear_norefresh();
- dmenuOpenSimple(&MenuSecurityProfile, FALSE);
- restorescr(w);
- return DITEM_SUCCESS;
-}
-
-/* Use the most extreme security settings */
-int
-configSecurityExtreme(dialogMenuItem *self)
-{
- WINDOW *w = savescr();
-
- variable_set2("sshd_enable", "NO", 1);
- variable_set2("kern_securelevel_enable", "YES", 1);
- variable_set2("kern_securelevel", "2", 1);
-
- if (self)
- msgConfirm("Extreme security settings have been selected.\n\n"
- "Sshd has been disabled, and kernel security levels have"
- "been enabled.\n\n"
- "PLEASE NOTE that this still does not save you from having\n"
- "to properly secure your system in other ways or exercise\n"
- "due diligence in your administration, this simply picks\n"
- "a more secure set of out-of-box defaults to start with.\n\n"
- "To change any of these settings later, edit /etc/rc.conf");
-
- restorescr(w);
- return DITEM_SUCCESS;
-}
-
-int
-configSecurityModerate(dialogMenuItem *self)
-{
- WINDOW *w = savescr();
-
- variable_set2("sshd_enable", "YES", 1);
- variable_set2("kern_securelevel_enable", "NO", 1);
-
- if (self)
- msgConfirm("Moderate security settings have been selected.\n\n"
- "Sshd has been enabled and kernel securelevels are disabled;\n"
- "all other settings have been left intact.\n\n"
- "PLEASE NOTE that this still does not save you from having\n"
- "to properly secure your system in other ways or exercise\n"
- "due diligence in your administration, this simply picks\n"
- "a standard set of out-of-box defaults to start with.\n\n"
- "To change any of these settings later, edit /etc/rc.conf");
-
- restorescr(w);
- return DITEM_SUCCESS;
-}
-
static void
write_root_xprofile(char *str)
{
diff --git a/usr.sbin/sade/install.c b/usr.sbin/sade/install.c
index 4d063d2..3d5a7bd 100644
--- a/usr.sbin/sade/install.c
+++ b/usr.sbin/sade/install.c
@@ -529,8 +529,6 @@ installExpress(dialogMenuItem *self)
if (DITEM_STATUS((i = installCommit(self))) == DITEM_SUCCESS) {
i |= DITEM_LEAVE_MENU;
- /* Set default security level */
- configSecurityModerate(NULL);
/* Give user the option of one last configuration spree */
installConfigure();
@@ -622,6 +620,10 @@ nodisks:
configInetd(self);
dialog_clear_norefresh();
+ if (!msgNoYes("Would you like to enable SSH login?"))
+ variable_set2("sshd_enable", "YES", 1);
+
+ dialog_clear_norefresh();
if (!msgNoYes("Do you want to have anonymous FTP access to this machine?"))
configAnonFTP(self);
@@ -633,12 +635,6 @@ nodisks:
if (!msgNoYes("Do you want to configure this machine as an NFS client?"))
variable_set2("nfs_client_enable", "YES", 1);
- if (!msgNoYes("Do you want to select a default security profile for\n"
- "this host (select No for \"moderate\" security)?"))
- configSecurityProfile(self);
- else
- configSecurityModerate(self);
-
#ifdef WITH_SYSCONS
dialog_clear_norefresh();
if (!msgNoYes("Would you like to customize your system console settings?"))
@@ -720,9 +716,6 @@ installCustomCommit(dialogMenuItem *self)
i = installCommit(self);
if (DITEM_STATUS(i) == DITEM_SUCCESS) {
- /* Set default security level */
- configSecurityModerate(NULL);
-
/* Give user the option of one last configuration spree */
installConfigure();
return i;
diff --git a/usr.sbin/sade/menus.c b/usr.sbin/sade/menus.c
index 1bb348d..ef4608c 100644
--- a/usr.sbin/sade/menus.c
+++ b/usr.sbin/sade/menus.c
@@ -1469,7 +1469,7 @@ DMenu MenuNetworking = {
dmenuVarCheck, configRouter, NULL, "router_enable=YES" },
{ " Rwhod", "This machine wants to run the rwho daemon",
dmenuVarCheck, dmenuToggleVariable, NULL, "rwhod_enable=YES" },
- { " Sshd", "This machine wants to run the ssh daemon",
+ { " SSHd", "This machine wants to run the SSH daemon",
dmenuVarCheck, dmenuToggleVariable, NULL, "sshd_enable=YES" },
{ " TCP Extensions", "Allow RFC1323 and RFC1644 TCP extensions?",
dmenuVarCheck, dmenuToggleVariable, NULL, "tcp_extensions=YES" },
@@ -2229,8 +2229,6 @@ DMenu MenuSecurity = {
NULL,
{ { "X Exit", "Exit this menu (returning to previous)",
checkTrue, dmenuExit, NULL, NULL, '<', '<', '<' },
- { " Security Profile", "Select a security profile for the system",
- NULL, configSecurityProfile },
#if 0
{ " LOMAC", "Use Low Watermark Mandatory Access Control at boot",
dmenuVarCheck, dmenuToggleVariable, NULL, "lomac_enable=YES" },
@@ -2240,20 +2238,6 @@ DMenu MenuSecurity = {
{ NULL } },
};
-DMenu MenuSecurityProfile = {
- DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS,
- "Default system security profile",
- "Each item in this list will set what it considers to\n"
- "be \"appropriate\" values in that category for various\n"
- "security-related knobs in /etc/rc.conf.",
- "Select a canned security profile - F1 for help",
- "security", /* help file */
- { { "X Exit", "Exit this menu (returning to previous)", NULL, dmenuExit },
- { "Moderate", "Moderate security settings.", NULL, configSecurityModerate },
- { "Extreme", "Very restrictive security settings.", NULL, configSecurityExtreme },
- { NULL } },
-};
-
DMenu MenuFixit = {
DMENU_NORMAL_TYPE,
"Please choose a fixit option",
diff --git a/usr.sbin/sade/sade.h b/usr.sbin/sade/sade.h
index 14fbc74..9ba8336 100644
--- a/usr.sbin/sade/sade.h
+++ b/usr.sbin/sade/sade.h
@@ -452,7 +452,6 @@ extern DMenu MenuMediaTape; /* Tape media menu */
extern DMenu MenuNetworkDevice; /* Network device menu */
extern DMenu MenuNTP; /* NTP time server menu */
extern DMenu MenuSecurity; /* System security options menu */
-extern DMenu MenuSecurityProfile; /* Security profile menu */
extern DMenu MenuStartup; /* Startup services menu */
#ifdef WITH_SYSCONS
extern DMenu MenuSyscons; /* System console configuration menu */
@@ -532,9 +531,6 @@ extern int configMTAPostfix(dialogMenuItem *self);
extern int configMTAExim(dialogMenuItem *self);
extern int configRpcBind(dialogMenuItem *self);
extern int configWriteRC_conf(dialogMenuItem *self);
-extern int configSecurityProfile(dialogMenuItem *self);
-extern int configSecurityExtreme(dialogMenuItem *self);
-extern int configSecurityModerate(dialogMenuItem *self);
extern int configEtcTtys(dialogMenuItem *self);
#ifdef __i386__
extern int checkLoaderACPI(void);
diff --git a/usr.sbin/sysinstall/config.c b/usr.sbin/sysinstall/config.c
index b67e5aa6..570cb61 100644
--- a/usr.sbin/sysinstall/config.c
+++ b/usr.sbin/sysinstall/config.c
@@ -547,63 +547,6 @@ configSecurity(dialogMenuItem *self)
return DITEM_SUCCESS;
}
-int
-configSecurityProfile(dialogMenuItem *self)
-{
- WINDOW *w = savescr();
-
- dialog_clear_norefresh();
- dmenuOpenSimple(&MenuSecurityProfile, FALSE);
- restorescr(w);
- return DITEM_SUCCESS;
-}
-
-/* Use the most extreme security settings */
-int
-configSecurityExtreme(dialogMenuItem *self)
-{
- WINDOW *w = savescr();
-
- variable_set2("sshd_enable", "NO", 1);
- variable_set2("kern_securelevel_enable", "YES", 1);
- variable_set2("kern_securelevel", "2", 1);
-
- if (self)
- msgConfirm("Extreme security settings have been selected.\n\n"
- "Sshd has been disabled, and kernel security levels have"
- "been enabled.\n\n"
- "PLEASE NOTE that this still does not save you from having\n"
- "to properly secure your system in other ways or exercise\n"
- "due diligence in your administration, this simply picks\n"
- "a more secure set of out-of-box defaults to start with.\n\n"
- "To change any of these settings later, edit /etc/rc.conf");
-
- restorescr(w);
- return DITEM_SUCCESS;
-}
-
-int
-configSecurityModerate(dialogMenuItem *self)
-{
- WINDOW *w = savescr();
-
- variable_set2("sshd_enable", "YES", 1);
- variable_set2("kern_securelevel_enable", "NO", 1);
-
- if (self)
- msgConfirm("Moderate security settings have been selected.\n\n"
- "Sshd has been enabled and kernel securelevels are disabled;\n"
- "all other settings have been left intact.\n\n"
- "PLEASE NOTE that this still does not save you from having\n"
- "to properly secure your system in other ways or exercise\n"
- "due diligence in your administration, this simply picks\n"
- "a standard set of out-of-box defaults to start with.\n\n"
- "To change any of these settings later, edit /etc/rc.conf");
-
- restorescr(w);
- return DITEM_SUCCESS;
-}
-
static void
write_root_xprofile(char *str)
{
diff --git a/usr.sbin/sysinstall/help/security.hlp b/usr.sbin/sysinstall/help/security.hlp
deleted file mode 100644
index 33e52e2..0000000
--- a/usr.sbin/sysinstall/help/security.hlp
+++ /dev/null
@@ -1,10 +0,0 @@
-Please see the FreeBSD FAQ for more detailed information on security
-profiles. The following table is intended to give you a rough idea just
-which services are enabled (or disabled) by each of the canned security
-profiles:
-
- Extreme Medium
- ------- ------
-sendmail NO YES
-sshd NO YES
-securelevel YES (2) NO
diff --git a/usr.sbin/sysinstall/install.c b/usr.sbin/sysinstall/install.c
index 4d063d2..3d5a7bd 100644
--- a/usr.sbin/sysinstall/install.c
+++ b/usr.sbin/sysinstall/install.c
@@ -529,8 +529,6 @@ installExpress(dialogMenuItem *self)
if (DITEM_STATUS((i = installCommit(self))) == DITEM_SUCCESS) {
i |= DITEM_LEAVE_MENU;
- /* Set default security level */
- configSecurityModerate(NULL);
/* Give user the option of one last configuration spree */
installConfigure();
@@ -622,6 +620,10 @@ nodisks:
configInetd(self);
dialog_clear_norefresh();
+ if (!msgNoYes("Would you like to enable SSH login?"))
+ variable_set2("sshd_enable", "YES", 1);
+
+ dialog_clear_norefresh();
if (!msgNoYes("Do you want to have anonymous FTP access to this machine?"))
configAnonFTP(self);
@@ -633,12 +635,6 @@ nodisks:
if (!msgNoYes("Do you want to configure this machine as an NFS client?"))
variable_set2("nfs_client_enable", "YES", 1);
- if (!msgNoYes("Do you want to select a default security profile for\n"
- "this host (select No for \"moderate\" security)?"))
- configSecurityProfile(self);
- else
- configSecurityModerate(self);
-
#ifdef WITH_SYSCONS
dialog_clear_norefresh();
if (!msgNoYes("Would you like to customize your system console settings?"))
@@ -720,9 +716,6 @@ installCustomCommit(dialogMenuItem *self)
i = installCommit(self);
if (DITEM_STATUS(i) == DITEM_SUCCESS) {
- /* Set default security level */
- configSecurityModerate(NULL);
-
/* Give user the option of one last configuration spree */
installConfigure();
return i;
diff --git a/usr.sbin/sysinstall/menus.c b/usr.sbin/sysinstall/menus.c
index 1bb348d..ef4608c 100644
--- a/usr.sbin/sysinstall/menus.c
+++ b/usr.sbin/sysinstall/menus.c
@@ -1469,7 +1469,7 @@ DMenu MenuNetworking = {
dmenuVarCheck, configRouter, NULL, "router_enable=YES" },
{ " Rwhod", "This machine wants to run the rwho daemon",
dmenuVarCheck, dmenuToggleVariable, NULL, "rwhod_enable=YES" },
- { " Sshd", "This machine wants to run the ssh daemon",
+ { " SSHd", "This machine wants to run the SSH daemon",
dmenuVarCheck, dmenuToggleVariable, NULL, "sshd_enable=YES" },
{ " TCP Extensions", "Allow RFC1323 and RFC1644 TCP extensions?",
dmenuVarCheck, dmenuToggleVariable, NULL, "tcp_extensions=YES" },
@@ -2229,8 +2229,6 @@ DMenu MenuSecurity = {
NULL,
{ { "X Exit", "Exit this menu (returning to previous)",
checkTrue, dmenuExit, NULL, NULL, '<', '<', '<' },
- { " Security Profile", "Select a security profile for the system",
- NULL, configSecurityProfile },
#if 0
{ " LOMAC", "Use Low Watermark Mandatory Access Control at boot",
dmenuVarCheck, dmenuToggleVariable, NULL, "lomac_enable=YES" },
@@ -2240,20 +2238,6 @@ DMenu MenuSecurity = {
{ NULL } },
};
-DMenu MenuSecurityProfile = {
- DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS,
- "Default system security profile",
- "Each item in this list will set what it considers to\n"
- "be \"appropriate\" values in that category for various\n"
- "security-related knobs in /etc/rc.conf.",
- "Select a canned security profile - F1 for help",
- "security", /* help file */
- { { "X Exit", "Exit this menu (returning to previous)", NULL, dmenuExit },
- { "Moderate", "Moderate security settings.", NULL, configSecurityModerate },
- { "Extreme", "Very restrictive security settings.", NULL, configSecurityExtreme },
- { NULL } },
-};
-
DMenu MenuFixit = {
DMENU_NORMAL_TYPE,
"Please choose a fixit option",
diff --git a/usr.sbin/sysinstall/sysinstall.h b/usr.sbin/sysinstall/sysinstall.h
index 14fbc74..9ba8336 100644
--- a/usr.sbin/sysinstall/sysinstall.h
+++ b/usr.sbin/sysinstall/sysinstall.h
@@ -452,7 +452,6 @@ extern DMenu MenuMediaTape; /* Tape media menu */
extern DMenu MenuNetworkDevice; /* Network device menu */
extern DMenu MenuNTP; /* NTP time server menu */
extern DMenu MenuSecurity; /* System security options menu */
-extern DMenu MenuSecurityProfile; /* Security profile menu */
extern DMenu MenuStartup; /* Startup services menu */
#ifdef WITH_SYSCONS
extern DMenu MenuSyscons; /* System console configuration menu */
@@ -532,9 +531,6 @@ extern int configMTAPostfix(dialogMenuItem *self);
extern int configMTAExim(dialogMenuItem *self);
extern int configRpcBind(dialogMenuItem *self);
extern int configWriteRC_conf(dialogMenuItem *self);
-extern int configSecurityProfile(dialogMenuItem *self);
-extern int configSecurityExtreme(dialogMenuItem *self);
-extern int configSecurityModerate(dialogMenuItem *self);
extern int configEtcTtys(dialogMenuItem *self);
#ifdef __i386__
extern int checkLoaderACPI(void);
OpenPOWER on IntegriCloud