svn commit: r50003 - head/ja_JP.eucJP/books/handbook/security
Ryusuke SUZUKI
ryusuke at FreeBSD.org
Wed Feb 22 15:56:25 UTC 2017
Author: ryusuke
Date: Wed Feb 22 15:56:24 2017
New Revision: 50003
URL: https://svnweb.freebsd.org/changeset/doc/50003
Log:
- Merge the following from the English version:
r21127 -> r22195 head/ja_JP.eucJP/books/handbook/security/chapter.xml
Modified:
head/ja_JP.eucJP/books/handbook/security/chapter.xml
Modified: head/ja_JP.eucJP/books/handbook/security/chapter.xml
==============================================================================
--- head/ja_JP.eucJP/books/handbook/security/chapter.xml Tue Feb 21 14:34:19 2017 (r50002)
+++ head/ja_JP.eucJP/books/handbook/security/chapter.xml Wed Feb 22 15:56:24 2017 (r50003)
@@ -3,7 +3,7 @@
The FreeBSD Documentation Project
The FreeBSD Japanese Documentation Project
- Original revision: r21127
+ Original revision: r22195
$FreeBSD$
-->
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="security">
@@ -76,12 +76,6 @@
<para>&os; ¤Ç»È¤ï¤ì¤Æ¤¤¤ë <acronym>SSH</acronym> ¤Ç¤¢¤ë
<application>OpenSSH</application> ¤ÎÀßÄꤪ¤è¤Ó»ÈÍÑÊýË¡</para>
</listitem>
-<!--
- <listitem>
- <para>How to configure and load access control extension
- modules using the TrustedBSD <acronym>MAC</acronym> Framework.</para>
- </listitem>
--->
<listitem>
<para>¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¤Î <acronym>ACL</acronym> (¥¢¥¯¥»¥¹À©¸æ¥ê¥¹¥È)
@@ -279,7 +273,7 @@
</listitem>
<listitem>
- <para><systemitem class="username">root</systemitem> ¤Î°ÂÁ´À¤ò¹â¤á¤ë —
+ <para><systemitem class="username">root</systemitem> ¤Î°ÂÁ´À¤ò¹â¤á¤ë –
<systemitem class="username">root</systemitem> ¸¢¸Â¤ÇÆ°ºî¤¹¤ë¥µ¡¼¥Ð¤È
suid/sgid ¥Ð¥¤¥Ê¥ê¡£</para>
</listitem>
@@ -320,10 +314,13 @@
<note>
<title>¥³¥Þ¥ó¥ÉÂÐ¥×¥í¥È¥³¥ë</title>
- <para>¤³¤Îʸ½ñ¤òÄ̤·¤Æ¡¢¥³¥Þ¥ó¥É¤Þ¤¿¤Ï¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ò»Ø¤¹¤Î¤Ë¤Ï
- <application>ÂÀ»ú</application> ¤ò»È¤¤¤Þ¤¹¡£
- ¤¿¤È¤¨¤Ð¥×¥í¥È¥³¥ë¤Ç¤¢¤ë¤ÈƱ»þ¤Ë¥³¥Þ¥ó¥É¤Ç¤â¤¢¤ë
- ssh ¤Ê¤É¤ËÂФ·¤Æ»È¤¤¤Þ¤¹¡£</para>
+ <para>¤³¤Îʸ½ñ¤òÄ̤·¤Æ¡¢¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ò»Ø¤¹¤Î¤Ë¤Ï
+ <application>ÂÀ»ú</application> ¤ò»È¤¤¡¢
+ ¥³¥Þ¥ó¥É¤ò»Ø¤¹¾ì¹ç¤Ë¤Ï¡¢<command>ÅùÉý</command> ¥Õ¥©¥ó¥È¤ò»È¤¤¤Þ¤¹¡£
+ ¥×¥í¥È¥³¥ë¤ÏÄ̾ï¤Î¥Õ¥©¥ó¥È¤Çɽ¤·¤Þ¤¹¡£
+ ¤³¤Î¤è¤¦¤Ê½ñÂΤˤè¤ë¶èÊ̤ϡ¢
+ ¥×¥í¥È¥³¥ë¤Ç¤¢¤ë¤ÈƱ»þ¤Ë¥³¥Þ¥ó¥É¤Ç¤â¤¢¤ë
+ ssh ¤Ê¤É¤ËÂФ·¤Æ͸ú¤Ç¤¹¡£</para>
</note>
<indexterm>
@@ -1615,7 +1612,7 @@ permit port ttyd0</programlisting>
</sect1>
<sect1 xml:id="kerberosIV">
- <info><title>KerberosIV</title>
+ <info><title><application>KerberosIV</application></title>
<authorgroup>
<author><personname><firstname>Mark</firstname><surname>Murray</surname></personname><contrib>´ó¹Æ: </contrib></author>
</authorgroup>
@@ -1644,7 +1641,7 @@ permit port ttyd0</programlisting>
¤Ç¤·¤ç¤¦¡£</para>
<sect2>
- <title>KerberosIV ¤Î¥¤¥ó¥¹¥È¡¼¥ë</title>
+ <title><application>KerberosIV</application> ¤Î¥¤¥ó¥¹¥È¡¼¥ë</title>
<indexterm><primary>MIT</primary></indexterm>
<indexterm>
@@ -2694,10 +2691,10 @@ jdoe at example.org</screen>
</listitem>
<listitem>
- <para>¥·¥¹¥Æ¥à¤Î»þ¹ï¤ÏƱ´ü¤·¤Æ¤¤¤Þ¤¹¤«? ËÜÅö¤Ç¤¹¤«?
- »þ¹ï¤¬Æ±´ü¤·¤Æ¤¤¤Ê¤¤¤È
- (Ä̾ï¤Ï 5 ʬ°ÊÆâ¤ÇƱ´ü¤µ¤ì¤Æ¤¤¤Ê¤¤¤È)
- ǧ¾Ú¤Ë¼ºÇÔ¤·¤Æ¤·¤Þ¤¤¤Þ¤¹¡£</para>
+ <para>¥ì¥ë¥à¤Ë¤¢¤ë¤¹¤Ù¤Æ¤Î¥³¥ó¥Ô¥å¡¼¥¿¤Î´Ö¤Ç»þ¹ï¤¬Æ±´ü¤·¤Æ¤¤¤Þ¤¹¤«¡©
+ »þ¹ï¤¬Æ±´ü¤·¤Æ¤¤¤Ê¤¤¤Èǧ¾Ú¤Ë¼ºÇÔ¤·¤Æ¤·¤Þ¤¤¤Þ¤¹¡£
+ <acronym>NTP</acronym> ¤òÍѤ¤¤¿¡¢»þ¹ï¤ÎƱ´üÊýË¡¤Ë¤Ä¤¤¤Æ¤Ï¡¢
+ <xref linkend="network-ntp"/> ¤ò¤´Í÷¤¯¤À¤µ¤¤¡£</para>
</listitem>
<listitem>
@@ -2797,14 +2794,6 @@ jdoe at example.org</screen>
</listitem>
<listitem>
- <para>¥ì¥ë¥à¤Ë¤¢¤ë¤¹¤Ù¤Æ¤Î¥³¥ó¥Ô¥å¡¼¥¿¤Î´Ö¤Ç»þ¹ï¤¬Æ±´ü¤·¤Æ¤¤¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£
- ¤³¤ÎÌÜŪ¤Ë´°àú¤ËŬ¤·¤Æ¤¤¤ë¤Î¤¬¡¢
- <acronym>NTP</acronym> ¤Ç¤¹¡£
- <acronym>NTP</acronym> ¤Î¾ÜºÙ¤Ë¤Ä¤¤¤Æ¤Ï¡¢
- <xref linkend="network-ntp"/> ¤ò¤´Í÷¤¯¤À¤µ¤¤¡£</para>
- </listitem>
-
- <listitem>
<para>(¤¿¤È¤¨¤Ð°ì½µ´Ö¤È¤¤¤Ã¤¿)
Ť¤Í¸ú´ü¸Â¤Î¥Á¥±¥Ã¥È¤ò»È¤¤¤¿¤¤¾ì¹ç¤Ç¡¢
<application>OpenSSH</application> ¤ò»È¤Ã¤Æ¡¢
@@ -3001,7 +2990,7 @@ jdoe at example.org</screen>
<listitem>
<para><link
xlink:href="http://web.mit.edu/Kerberos/www/dialogue.html">Designing
- an Authentication System: a Dialogue in Four Scenes</link></para>
+ an Authentication System: a Dialog in Four Scenes</link></para>
</listitem>
<listitem>
@@ -3263,7 +3252,7 @@ jdoe at example.org</screen>
<para>¸½ºß¡¢IPFW
¤Ë´Ø·¸¤¹¤ë¥«¡¼¥Í¥ë¥³¥ó¥Õ¥£¥°¥ì¡¼¥·¥ç¥ó¥ª¥×¥·¥ç¥ó¤Ï
- 4 ¤Ä¤¢¤ê¤Þ¤¹¡£</para>
+ 5 ¤Ä¤¢¤ê¤Þ¤¹¡£</para>
<variablelist>
<varlistentry><term><literal>options IPFIREWALL</literal></term>
@@ -3328,6 +3317,19 @@ jdoe at example.org</screen>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><literal>options PFIL_HOOKS</literal></term>
+
+ <listitem>
+ <para>&os; 5.3-RELEASE °Ê¹ß¤Î¥Ð¡¼¥¸¥ç¥ó¤Ç¤Ï¡¢
+ ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤Î¤¿¤á¤Ë¥³¡¼¥ë¥¢¥¦¥È¤Î¥Õ¥Ã¥¯¤òÄɲ乤뤿¤á¡¢
+ ¤³¤Î¥ª¥×¥·¥ç¥ó¤¬É¬ÍפȤʤê¤Þ¤¹¡£
+ ¤³¤ì¤é¤Î¥Ð¡¼¥¸¥ç¥ó¤Î &os; ¤Ç¤Ï¡¢
+ ¤³¤Î¥ª¥×¥·¥ç¥ó¤¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¤È¡¢
+ IPFW ¤ÏÆ°ºî¤·¤Ê¤¤¤Ç¤·¤ç¤¦¡£</para>
+ </listitem>
+ </varlistentry>
</variablelist>
<note><para>°ÊÁ°¤Î¥Ð¡¼¥¸¥ç¥ó¤Î FreeBSD ¤Ï
@@ -4038,46 +4040,226 @@ jdoe at example.org</screen>
</sect1>
<sect1 xml:id="openssl">
- <title>OpenSSL</title>
+ <info><title>OpenSSL</title>
+ <authorgroup>
+ <author>
+ <personname>
+ <firstname>Tom</firstname>
+ <surname>Rhodes</surname>
+ </personname>
+ <contrib>¼¹É®: </contrib>
+ </author>
+ </authorgroup>
+ </info>
+
<indexterm>
<primary>¥»¥¥å¥ê¥Æ¥£</primary>
<secondary>OpenSSL</secondary>
</indexterm>
- <indexterm><primary>OpenSSL</primary></indexterm>
- <para>FreeBSD 4.0 ¤Ç¤Ï¡¢OpenSSL ¥Ä¡¼¥ë¥¥Ã¥È¤¬´ðËܹ½À®¤Î°ìÉô¤Ë
- ´Þ¤Þ¤ì¤Æ¤¤¤Þ¤¹¡£<link xlink:href="http://www.openssl.org/">OpenSSL</link> ¤Ï¡¢
- Secure Sockets Layer v2/v3 (SSLv2/SSLv3) ¤ä Transport Layer
- Security v1 (TLSv1) ¥Í¥Ã¥È¥ï¡¼¥¯¥»¥¥å¥ê¥Æ¥£¥×¥í¥È¥³¥ë¤ÈƱÍͤÎ
- ¿ÌÜŪ¤Ê°Å¹æ²½¥é¥¤¥Ö¥é¥ê¤òÄ󶡤·¤Þ¤¹¡£</para>
-
- <para>¤·¤«¤·¤Ê¤¬¤é¡¢OpenSSL ¤Ë´Þ¤Þ¤ì¤ë¥¢¥ë¥´¥ê¥º¥à¤Î¤Ò¤È¤Ä
- (ÆÃ¤Ë IDEA) ¤Ï¡¢¹ç½°¹ñÆâ¡¢¤½¤Î¾¤ÎÃÏ°è¤Ë¤ª¤¤¤Æ¡¢
- Æõö¤Ë¤è¤êÊݸ¤ì¤Æ¤¤¤Þ¤¹¡£¤½¤Î¤¿¤á¡¢
- ̵À©Ìó¤ÊÍøÍѤϵö¤µ¤ì¤Þ¤»¤ó¡£IDEA ¤Ï
- FreeBSD ¤Î OpenSSL ÇÛÉۤ˴ޤޤì¤Æ¤¤¤Þ¤¹¤¬¡¢¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¥³¥ó¥Ñ
- ¥¤¥ë¤µ¤ì¤Þ¤»¤ó¡£¤â¤· IDEA ¤ò»È¤¤¤¿¤¤¤Ê¤é¡¢¤½¤·¤Æ¤¢¤Ê¤¿¤¬¤½¤Î¥é¥¤
- ¥»¥ó¥¹¾ò¹à¤Ë¹çÃפ¹¤ë¤Ê¤é¡¢<filename>/etc/make.conf</filename>
- ¤ÎÃæ¤Î MAKE_IDEA ¥¹¥¤¥Ã¥Á¤ò͸ú¤Ë¤·¤Æ¡¢
- <command>make world</command> ¤Ç¥½¡¼¥¹¤ò¥ê¥Ó¥ë¥É¤·¤Æ¤¯¤À¤µ¤¤¡£</para>
+ <para>¿¤¯¤Î¥æ¡¼¥¶¤¬¸«Íî¤È¤·¤¬¤Á¤Êµ¡Ç½¤Î°ì¤Ä¤¬¡¢
+ &os; ¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë <application>OpenSSL</application>
+ ¥Ä¡¼¥ë¥¥Ã¥È¤Ç¤¹¡£
+ <application>OpenSSL</application> ¤Ï¡¢
+ Ä̾ï¤ÎÄÌ¿®Áؤξå°Ì¤Ë¤¢¤ë¥È¥é¥ó¥¹¥Ý¡¼¥ÈÁؤò°Å¹æ²½¤·¡¢
+ ¿¤¯¤Î¥Í¥Ã¥È¥ï¡¼¥¯¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ª¤è¤Ó¥µ¡¼¥Ó¥¹¤ÈÁȤ߹ç¤ï¤»¤Æ»ÈÍѤǤ¤Þ¤¹¡£</para>
+
+ <para><application>OpenSSL</application> ¤Ï¡¢
+ ¥á¡¼¥ë¥¯¥é¥¤¥¢¥ó¥È¤Î°Å¹æ²½¤µ¤ì¤¿Ç§¾Ú¡¢
+ ¥¯¥ì¥¸¥Ã¥È¥«¡¼¥É¤Ç¤Î»Ùʧ¤¤¤È¤¤¤Ã¤¿¥¦¥§¥Ö¥Ù¡¼¥¹¤Î¼è°ú¤Ê¤É¤Ç»È¤ï¤ì¤Þ¤¹¡£
+ <filename role="package">www/apache13-ssl</filename> ¤ª¤è¤Ó
+ <filename role="package">mail/sylpheed-claws</filename>
+ ¤È¤¤¤Ã¤¿Â¿¤¯¤Î port ¤Ç¤Ï¡¢
+ <application>OpenSSL</application>
+ ¤È¤È¤â¤Ë¹½ÃÛ¤¹¤ë¥³¥ó¥Ñ¥¤¥ë¤ËÂбþ¤·¤Æ¤¤¤Þ¤¹¡£</para>
- <para>¸½ºß¤Ï RSA ¥¢¥ë¥´¥ê¥º¥à¤Ï¥¢¥á¥ê¥«¤È¤½¤Î¾¤Î¹ñ¤Ç¼«Í³¤ËÍøÍѤÇ
- ¤¤Þ¤¹¡£°ÊÁ°¤ÏÆõö¤Ë¤è¤êÊݸ¤ì¤Æ¤¤¤Þ¤·¤¿¡£</para>
+ <note>
+ <para>¿¤¯¤Î¾ì¹ç¡¢Ports Collection ¤Ï¡¢
+ make ¤Î WITH_OPENSSL_BASE ÊÑ¿ô¤¬ÌÀ¼¨Åª¤Ë
+ <quote>yes</quote> ¤ËÀßÄꤵ¤ì¤Æ¤¤¤Ê¤¤¤È¡¢
+ <filename role="package">security/openssl</filename>
+ ¤Î¹½ÃÛ¤ò»î¤ß¤Þ¤¹¡£</para>
+ </note>
- <indexterm>
- <primary>OpenSSL</primary>
- <secondary>¥¤¥ó¥¹¥È¡¼¥ë</secondary>
- </indexterm>
+ <para>&os; ¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë <application>OpenSSL</application>
+ ¡¡¤Î¥Ð¡¼¥¸¥ç¥ó¤Ï¡¢Secure Sockets Layer v2/v3 (SSLv2/SSLv3) ¤ä
+ Transport Layer Security v1 (TLSv1)
+ ¥Í¥Ã¥È¥ï¡¼¥¯¥»¥¥å¥ê¥Æ¥£¥×¥í¥È¥³¥ë¤ËÂбþ¤·¤Æ¤ª¤ê¡¢
+ ¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ÇÍøÍѤ¹¤ë¤¿¤á¤Î¿ÌÜŪ¤Ê°Å¹æ²½¥é¥¤¥Ö¥é¥ê¤È¤·¤Æ»È¤¦¤³¤È¤¬¤Ç¤¤Þ¤¹¡£</para>
+
+ <note>
+ <para><application>OpenSSL</application> ¤Ï¡¢
+ <acronym>IDEA</acronym> ¥¢¥ë¥´¥ê¥º¥à¤ËÂбþ¤·¤Æ¤¤¤Þ¤¹¤¬¡¢
+ ¹ç½°¹ñ¤ÎÆõö¤Ë¤è¤ê¡¢¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï̵¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£
+ ¤â¤·»ÈÍѤ·¤¿¤¤¤Î¤Ç¤¢¤ì¤Ð¡¢¥é¥¤¥»¥ó¥¹¾ò¹à¤òɬ¤º³Îǧ¤·¡¢
+ ¥é¥¤¥»¥ó¥¹¾ò¹à¤Ë¹çÃפ¹¤ë¤Î¤Ç¤¢¤ì¤Ð¡¢
+ MAKE_IDEA ÊÑ¿ô¤òÀßÄꤷ¤Æ¤¯¤À¤µ¤¤¡£</para>
+ </note>
+
+ <para>¤ª¤½¤é¤¯ºÇ¤â°ìÈÌŪ¤Ê <application>OpenSSL</application>
+ ¤ÎÍøÍÑÊýË¡¤Î¤Ò¤È¤Ä¤Ï¡¢
+ ¥½¥Õ¥È¥¦¥§¥¢¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤¬»È¤¨¤ë¤è¤¦¤Ë¾ÚÌÀ½ñ¤òÄ󶡤¹¤ë¤³¤È¤Ç¤¹¡£
+ ¤³¤ì¤é¤Î¾ÚÌÀ½ñ¤Ë¤è¤ê¡¢
+ ²ñ¼Ò¤Þ¤¿¤Ï¸Ä¿Í¤Î¸ø³«¸°¤¬¡¢
+ ²þ¤¶¤ó¤ä¤Ê¤ê¤¹¤Þ¤·¤¬¹Ô¤ï¤ì¤Æ¤¤¤Ê¤¤¤³¤È¤ò³Îǧ¤Ç¤¤Þ¤¹¡£
+ ¤â¤·ÌäÂê¤È¤Ê¤Ã¤Æ¤¤¤ë¾ÚÌÀ½ñ¤¬¡¢Ç§¾Ú¶É
+ ¤Þ¤¿¤Ï <acronym>CA</acronym> ¤Ë¤è¤ê¸¡¾Ú¤µ¤ì¤Ê¤±¤ì¤Ð¡¢
+ Ä̾ï·Ù¹ð¤¬É½¼¨¤µ¤ì¤Þ¤¹¡£
+ ǧ¾Ú¶É¤Ï¡¢VeriSign ¤Î¤è¤¦¤Ê²ñ¼Ò¤Ç¡¢
+ ¸Ä¿Í¤Þ¤¿¤Ï²ñ¼Ò¤Î¸ø³«¸°¤Î¸¡¾Ú¤ò¹Ô¤¨¤ë¤è¤¦¤Ë¡¢
+ ¾ÚÌÀ½ñ¤Ë½ð̾¤ò¹Ô¤¤¤Þ¤¹¡£
+ ¾ÚÌÀ½ñ¤òºîÀ®¤¹¤ë¤Ë¤ÏÈñÍѤ¬¤«¤«¤ê¡¢
+ ¾ÚÌÀ½ñ¤Î»ÈÍѤÏɬ¤º¤·¤âɬÍ×¾ò·ï¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£
+ ¤·¤«¤·¤Ê¤¬¤é¡¢¾ÚÌÀ½ñ¤ò»È¤¦¤³¤È¤Ç¡¢
+ µ¿¤ê¿¼¤¤¥æ¡¼¥¶¤ò°Â¿´¤µ¤»¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£</para>
<sect2>
- <title>¥½¡¼¥¹¥³¡¼¥É¤Î¥¤¥ó¥¹¥È¡¼¥ë</title>
+ <title>¾ÚÌÀ½ñ¤ÎºîÀ®</title>
+
+ <indexterm>
+ <primary>OpenSSL</primary>
+ <secondary>¾ÚÌÀ½ñ¤ÎºîÀ®</secondary>
+ </indexterm>
+
+ <para>°Ê²¼¤Î¥³¥Þ¥ó¥É¤Ë¤è¤ê¡¢¾ÚÌÀ½ñ¤òºîÀ®¤Ç¤¤Þ¤¹¡£</para>
+
+ <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput>
+Generating a 1024 bit RSA private key
+................++++++
+.......................................++++++
+writing new private key to 'cert.pem'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:<userinput><replaceable>US</replaceable></userinput>
+State or Province Name (full name) [Some-State]:<userinput><replaceable>PA</replaceable></userinput>
+Locality Name (eg, city) []:<userinput><replaceable>Pittsburgh</replaceable></userinput>
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:<userinput><replaceable>My Company</replaceable></userinput>
+Organizational Unit Name (eg, section) []:<userinput><replaceable>Systems Administrator</replaceable></userinput>
+Common Name (eg, YOUR name) []:<userinput><replaceable>localhost.example.org</replaceable></userinput>
+Email Address []:<userinput><replaceable>trhodes at FreeBSD.org</replaceable></userinput>
+
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput>
+An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen>
+
+ <para><quote>Common Name</quote> ¥×¥í¥ó¥×¥Èľ¸å¤Ëɽ¼¨¤µ¤ì¤Æ¤¤¤ë¤Î¤Ï¡¢
+ ¥É¥á¥¤¥ó̾¤Ç¤¹¡£
+ ¤³¤Î¥×¥í¥ó¥×¥È¤Ç¤Ï¡¢¸¡¾Ú¤¹¤ë¥µ¡¼¥Ð̾¤ÎÆþÎϤ¬É¬ÍפȤʤê¤Þ¤¹¡£
+ ¥É¥á¥¤¥ó̾°Ê³°¤òÆþÎϤ¹¤ë¤È¡¢Ìò¤ËΩ¤¿¤Ê¤¤¾ÚÌÀ½ñ¤¬ºîÀ®¤µ¤ì¤Þ¤¹¡£
+ ¾¤Ë¤Ï¡¢Í¸ú´ü¸Â¤ò»ØÄꤷ¤¿¤ê¡¢
+ Ê̤ΰŹ沽¥¢¥ë¥´¥ê¥º¥à¤òÁªÂò¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
+ &man.openssl.1; ¥Þ¥Ë¥å¥¢¥ë¥Ú¡¼¥¸¤Ë¤Ï¡¢
+ ¥ª¥×¥·¥ç¥ó¤Î´°Á´¤Ê¥ê¥¹¥È¤ò¡£</para>
+
+ <para>Á°½Ò¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤·¤¿¥Ç¥£¥ì¥¯¥È¥ê¤Ë¡¢
+ <filename>req.pem</filename> ¥Õ¥¡¥¤¥ë¤¬ºîÀ®¤µ¤ì¤Þ¤¹¡£
+ ¤³¤Î¥Õ¥¡¥¤¥ë¤Ï¡¢
+ ½ð̾¤Î¤¿¤á¤Ë <acronym>CA</acronym> ¤ËÁ÷¤ë¤³¤È¤Î¤Ç¤¤ë¾ÚÌÀ½ñ½ð̾Í×µá
+ (certificate request) ¤Ç¤¹¡£</para>
+
+ <para><acronym>CA</acronym> ¤Î½ð̾¤¬É¬Íפʤ¤¾ì¹ç¤Ë¤Ï¡¢
+ ¼«¸Ê½ð̾¾ÚÌÀ½ñ¤òºîÀ®¤Ç¤¤Þ¤¹¡£
+ ºÇ½é¤Ë <acronym>CA</acronym> ¤Î¸°¤òÀ¸À®¤·¤Æ¤¯¤À¤µ¤¤¡£</para>
+
+ <screen>&prompt.root; <userinput>openssl gendsa -des3 -out \
+<filename>myca.key</filename> 1024</userinput></screen>
+
+ <para>¤³¤Î¸°¤ò»È¤Ã¤Æ¾ÚÌÀ½ñ¤òºîÀ®¤·¤Æ¤¯¤À¤µ¤¤¡£</para>
+
+ <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key \
+<filename>myca.key</filename> -out <filename>new.crt</filename></userinput></screen>
+
+ <para>¿·¤·¤¯ 2 ¤Ä¤Î¥Õ¥¡¥¤¥ë¤¬¤³¤Î¥Ç¥£¥ì¥¯¥È¥ê¤ËºîÀ®¤µ¤ì¤Þ¤¹¡£
+ ¥×¥é¥¤¥Ù¡¼¥È¸° <filename>myca.key</filename> ¤ª¤è¤Ó
+ ¾ÚÌÀ½ñ <filename>new.crt</filename> ¤Ç¤¹¡£
+ ¤³¤ì¤é¤Î¥Õ¥¡¥¤¥ë¤ò¡¢(¹¥¤Þ¤·¤¯¤Ï
+ <filename role="directory">/etc</filename> °Ê²¼¤Ç)
+ root ¤Î¤ß¤¬Æɤळ¤È¤Î¤Ç¤¤ë¥Ç¥£¥ì¥¯¥È¥ê¤ËÃÖ¤¯É¬Íפ¬¤¢¤ê¤Þ¤¹¡£
+ <command>chmod</command>
+ ¥æ¡¼¥Æ¥£¥ê¥Æ¥£¤ò»È¤Ã¤Æµö²Ä°À¤ò 0600 ¤ËÀßÄꤷ¤Æ¤¯¤À¤µ¤¤¡£</para>
+ </sect2>
+
+ <sect2>
+ <title>¾ÚÌÀ½ñ¤Î»ÈÍÑÎã</title>
+
+ <para>¤³¤ì¤é¤Î¥Õ¥¡¥¤¥ë¤Ç²¿¤¬¤Ç¤¤ë¤Ç¤·¤ç¤¦¤«?
+ ¸ú²ÌŪ¤ÊÍøÍÑÊýË¡¤Ï¡¢
+ <application>Sendmail</application>
+ <acronym>MTA</acronym> ¤Ø¤ÎÀܳ¤ò°Å¹æ²½¤¹¤ë¤³¤È¤Ç¤·¤ç¤¦¡£
+ ¤³¤ì¤Ë¤è¤ê¡¢
+ ¥í¡¼¥«¥ë¤Î <acronym>MTA</acronym> ·Ðͳ¤Ç¥á¡¼¥ë¤òÁ÷¿®¤¹¤ë¥æ¡¼¥¶¤¬¡¢
+ ¥Æ¥¥¹¥Èǧ¾Ú¤ò»ÈÍѤ·¤Ê¤¯¤Æ¤â¤¹¤à¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£</para>
- <para>OpenSSL ¤Ï <literal>src-crypto</literal> ¤È
- <literal>src-secure</literal>
- <application>CVSup</application> ¥³¥ì¥¯¥·¥ç¥ó¤Î°ìÉô¤Ç¤¹¡£
- FreeBSD ¤Î¥½¡¼¥¹¥³¡¼¥É¤Î¼èÆÀ¤È¹¹¿·¤Î¾ÜºÙ¤Ï¡¢
- <link linkend="mirrors">FreeBSD
- ¤ÎÆþ¼ê</link>¤Î¹à¤ò»²¾È¤·¤Æ²¼¤µ¤¤¡£</para>
+ <note>
+ <para>¤¤¤¯¤Ä¤«¤Î <acronym>MUA</acronym> ¤Ï¡¢
+ ¾ÚÌÀ½ñ¤¬¥í¡¼¥«¥ë¤Ë¥¤¥ó¥¹¥È¡¼¥ë¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¡¢
+ ¥æ¡¼¥¶¤ËÂФ·¤Æ¡¢¥¨¥é¡¼¤ò½ÐÎϤ¹¤ë¤Î¤Ç¡¢
+ ´°Á´¤ËºÇÁ±¤ÎÍøÍÑÊýË¡¤È¤¤¤¦¤ï¤±¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£
+ ¾ÚÌÀ½ñ¤Î¥¤¥ó¥¹¥È¡¼¥ë¤Ë´Ø¤¹¤ë¾ÜºÙ¤Ê¾ðÊó¤Ë¤Ä¤¤¤Æ¤Ï¡¢
+ ¥½¥Õ¥È¥¦¥§¥¢¤ËÉÕ¿ï¤Îʸ½ñ¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤¡£</para>
+ </note>
+
+ <para>°Ê²¼¤Î¹Ô¤ò¥í¡¼¥«¥ë¤Î
+ <filename>.mc</filename> ¥Õ¥¡¥¤¥ë¤ËÆþ¤ì¤Æ¤¯¤À¤µ¤¤¡£</para>
+
+ <programlisting>dnl SSL Options
+define(`confCACERT_PATH',`/etc/certs')dnl
+define(`confCACERT',`/etc/certs/new.crt')dnl
+define(`confSERVER_CERT',`/etc/certs/new.crt')dnl
+define(`confSERVER_KEY',`/etc/certs/myca.key')dnl
+define(`confTLS_SRV_OPTIONS', `V')dnl</programlisting>
+
+ <para>¤³¤³¤Ç <filename role="directory">/etc/certs/</filename>
+ ¤Ï¡¢¾ÚÌÀ½ñ¤ª¤è¤Ó¸°¥Õ¥¡¥¤¥ë¤¬Êݸ¤µ¤ì¤Æ¤¤¤ë¥í¡¼¥«¥ë¤Î¥Ç¥£¥ì¥¯¥È¥ê¤Ç¤¹¡£
+ ºÇ¸å¤Ë¡¢¥í¡¼¥«¥ë¤Î <filename>.cf</filename>
+ ¥Õ¥¡¥¤¥ë¤òºÆ¹½ÃÛ¤¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£
+ <filename role="directory">/etc/mail</filename> ¥Ç¥£¥ì¥¯¥È¥ê¤Ç¡¢
+ <command>make</command> <parameter>install</parameter>
+ ¤ÈÆþÎϤ¹¤ë¤ÈºÆ¹½ÃۤǤ¤Þ¤¹¡£
+ ¤½¤Î¸å¡¢<command>make</command>
+ <parameter>restart</parameter> ¤ÈÆþÎϤ·¤Æ¡¢
+ <application>Sendmail</application>
+ ¥Ç¡¼¥â¥ó¤òºÆµ¯Æ°¤·¤Æ¤¯¤À¤µ¤¤¡£</para>
+
+ <para>¤¹¤Ù¤Æ¤¬¤¦¤Þ¤¯¤¤¤Ã¤Æ¤¤¤ì¤Ð¡¢
+ <filename>/var/log/maillog</filename>
+ ¥Õ¥¡¥¤¥ë¤Ë¤Ï¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤Ï½ÐÎϤµ¤ì¤º¡¢
+ <application>Sendmail</application>
+ ¤¬¥×¥í¥»¥¹¤Î°ìÍ÷¤Ëɽ¼¨¤µ¤ì¤Þ¤¹¡£</para>
+
+ <para>°Ê²¼¤Ï´Êñ¤Ê»î¸³¤ÎÎã¤Ç¡¢&man.telnet.1; ¥æ¡¼¥Æ¥£¥ê¥Æ¥£¤ò»È¤Ã¤Æ¡¢
+ ¥á¡¼¥ë¥µ¡¼¥Ð¤ËÀܳ¤·¤Æ¤¤¤Þ¤¹¡£</para>
+
+ <screen>&prompt.root; <userinput>telnet <replaceable>example.com</replaceable> 25</userinput>
+Trying 192.0.34.166...
+Connected to <systemitem class="ipaddress">example.com</systemitem>
+Escape character is '^]'.
+220 <systemitem class="ipaddress">example.com</systemitem> ESMTP Sendmail 8.12.10/8.12.10; Tue, 31 Aug 2004 03:41:22 -0400 (EDT)
+<userinput>ehlo <replaceable>example.com</replaceable></userinput>
+250-pittgoth.com Hello example.com [192.0.34.166], pleased to meet you
+250-ENHANCEDSTATUSCODES
+250-PIPELINING
+250-8BITMIME
+250-SIZE
+250-DSN
+250-ETRN
+250-AUTH LOGIN PLAIN
+250-STARTTLS
+250-DELIVERBY
+250 HELP
+<userinput>quit</userinput>
+221 2.0.0 <systemitem class="ipaddress">example.com</systemitem> closing connection
+Connection closed by foreign host.</screen>
+
+ <para>¤¹¤Ù¤Æ¤¬Å¬ÀÚ¤ËÆ°¤¤¤Æ¤¤¤ì¤Ð¡¢½ÐÎÏ¤Ë <quote>STARTTLS</quote>
+ ¹Ô¤¬É½¼¨¤µ¤ì¤Þ¤¹¡£</para>
</sect2>
</sect1>
@@ -4437,6 +4619,11 @@ Network #2 [ Internal Hosts ]
¤½¤Î¸å¡¢¥×¥é¥¤¥Ù¡¼¥È IP ¥¢¥É¥ì¥¹¤ò
&man.ifconfig.8; ¤ò»È¤Ã¤ÆÀßÄꤷ¤Þ¤¹¡£</para>
+ <note>
+ <para>&os; 5.X ¤Ç¤Ï¡¢
+ &man.gifconfig.8; ¥æ¡¼¥Æ¥£¥ê¥Æ¥£¤¬Ä󶡤·¤Æ¤¤¤¿µ¡Ç½¤Ï¡¢
+ &man.ifconfig.8; ¤Ë¥Þ¡¼¥¸¤µ¤ì¤Þ¤·¤¿¡£</para></note>
+
<para>¥Í¥Ã¥È¥ï¡¼¥¯ #1 ¤Ë¤¢¤ë¥²¡¼¥È¥¦¥§¥¤¥³¥ó¥Ô¥å¡¼¥¿¤Ç°Ê²¼¤Î
2 ¤Ä¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤·¤Æ¥È¥ó¥Í¥ë¤òºîÀ®¤·¤Þ¤¹¡£</para>
@@ -4916,7 +5103,7 @@ spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P
¤Î) ¾¤Î¥²¡¼¥È¥¦¥§¥¤¥Û¥¹¥È¤Ë¤âƱ¤¸¥ë¡¼¥ë¤¬É¬ÍפǤ¹¡£</para>
<programlisting>spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
- spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;</programlisting>
+spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;</programlisting>
<para>ºÇ¸å¤Ë¡¢¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Ë ESP ¤ª¤è¤Ó IPENCAP
¥Ñ¥±¥Ã¥È¤¬¹Ô¤Í褹¤ë¤³¤È¤òµö²Ä¤¹¤ë¥ë¡¼¥ë¤òÄɲ乤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£
@@ -5435,270 +5622,6 @@ user at unfirewalled-system.example.org's p
<para>&man.sshd.8; &man.sftp-server.8;</para>
</sect2>
</sect1>
-<!--
- <sect1 id="mac">
- <sect1info>
- <authorgroup>
- <author>
- <firstname>Robert</firstname>
- <surname>Watson</surname>
- <contrib>Sponsored by DARPA and Network Associates Laboratories.
- Contributed by </contrib>
- </author>
- </authorgroup>
- </sect1info>
- <indexterm>
- <primary>MAC</primary>
- </indexterm>
- <title>Mandatory Access Control (MAC)</title>
-
- <para>FreeBSD 5.0 includes a new kernel security framework, the
- TrustedBSD MAC Framework. The MAC Framework permits compile-time,
- boot-time, and run-time extension of the kernel access control
- policy, and can be used to load support for Mandatory Access
- Control (<acronym>MAC</acronym>), and custom security modules
- such as hardening modules. The MAC Framework is currently
- considered to be an experimental feature, and should not yet
- be used in production environments without careful consideration.
- It is anticipated that the MAC Framework will be appropriate for
- more widespread production use by FreeBSD 5.2.</para>
-
- <para>When configured into a kernel, the MAC Framework permits
- security modules to augment the existing kernel access control
- model, restricting access to system services and objects. For
- example, the &man.mac.bsdextended.4; module augments file system
- access control, permitting administrators to provide a
- firewall-like ruleset constraining access to file system objects
- based on user ids and group membership. Some modules require
- little or no configuration, such as &man.mac.seeotheruids.4,
- whereas others perform ubiquitous object labeling, such as
- &man.mac.biba.4; and &man.mac.mls.4;, and require extensive
- configuration.</para>
-
- <para>To enable the MAC Framework in your system kernel, you must
- add the following entry to your kernel configuration:</para>
-
- <programlisting>options MAC</programlisting>
-
- <para>Security policy modules shipped with the base system may
- be loaded using &man.kldload.8; or in the boot &man.loader.8;
- They may also be compiled directly into the kernel using the
- following options, if the use of modules is not desired.</para>
-
- <para>Different MAC policies may be configured in different ways;
- frequently, MAC policy modules export configuration parameters
- using the &man.sysctl.8; <acronym>MIB</acronym> using the
- <varname>security.mac</varname> namespace. Policies relying on
- file system or other labels may require a configuration step
- that involes assigning initial labels to system objects or
- creating a policy configuration file. For information on how to
- configure and use each policy module, see its man page.</para>
-
- <para>A variety of tools are available to configure the MAC Framework
- and labels maintained by various policies. Extensions have been
- made to the login and credential management mechanisms
- (&man.setusercontext.3;) to support initial user labeling using
- &man.login.conf.5;. In addition, modifications have been made
- to &man.su.1;, &man.ps.1;, &man.ls.1;, and &man.ifconfig.8; to
- inspect and set labels on processes, files, and interfaces. In
- addition, several new tools have been added to manage labels
- on objects, including &man.getfmac.8;, &man.setfmac.8;, and
- &man.setfsmac.8; to manage labels on files, and &man.getpmac.8; and
- &man.setpmac.8;.</para>
-
- <para>What follows is a list of policy modules shipped with FreeBSD
- 5.0.</para>
- <sect2 id="mac-policy-biba">
- <title>Biba Integrity Policy (mac_biba)</title>
- <indexterm>
- <primary>Biba Integrity Policy</primary>
- </indexterm>
- <para>Vendor: TrustedBSD Project</para>
- <para>Module name: mac_biba.ko</para>
- <para>Kernel option: <literal>MAC_BIBA</literal></para>
- <indexterm>
- <primary>TCB</primary>
- </indexterm>
- <para>The Biba Integrity Policy (&man.mac.biba.4;) provides
- for hierarchical and non-hierarchical labeling of all system
- objects with integrity data, and the strict enforcement of
- an information flow policy to prevent corruption of high
- integrity subjects and data by low-integrity subjects.
- Integrity is enforced by preventing high integrity
- subjects (generally processes) from reading low integrity
- objects (often files), and preventing low integrity
- subjects from writing to high integrity objects.
- This security policy is frequently used in commercial
- trusted systems to provide strong protection for the
- Trusted Code Base (<acronym>TCB</acronym>). Because it
- provides ubiquitous labeling, the Biba integrity policy
- must be compiled into the kernel or loaded at boot.</para>
- </sect2>
- <sect2 id="mac-policy-bsdextended">
- <title>File System Firewall Policy (mac_bsdextended)</title>
- <indexterm>
- <primary>File System Firewall Policy</primary>
- </indexterm>
- <para>Vendor: TrustedBSD Project</para>
- <para>Module name: mac_bsdextended.ko</para>
- <para>Kernel option: <literal>MAC_BSDEXTENDED</literal></para>
- <para> The File System Firewall Policy (&man.mac.bsdextended.4;)
- provides an extension to the BSD file system permission model,
- permitting the administrator to define a set of firewall-like
- rules for limiting access to file system objects owned by
- other users and groups. Managed using &man.ugidfw.8;, rules
- may limit access to files and directories based on the uid
- and gids of the process attempting the access, and the owner
- and group of the target of the access attempt. All rules
- are restrictive, so they may be placed in any order. This policy
- requires no prior configuration or labeling, and may be
- appropriate in multi-user environments where mandatory limits
- on inter-user data exchange are required. Caution should be
- exercised in limiting access to files owned by the super-user or
- other system user ids, as many useful programs and directories
- are owned by these users. As with a network firewall,
- improper application of file system firewall rules may render
- the system unusable. New tools to manage the rule set may be
- easily written using the &man.libugidfw.3; library.</para>
- </sect2>
- <sect2 id="mac-policy-ifoff">
- <title>Interface Silencing Policy (mac_ifoff)</title>
- <indexterm>
- <primary>Interface Silencing Policy</primary>
- </indexterm>
- <para>Vendor: TrustedBSD Project</para>
- <para>Module name: mac_ifoff.ko</para>
- <para>Kernel option: <literal>MAC_IFOFF</literal></para>
- <para>The interface silencing policy (&man.mac.ifoff.4;)
- prohibits the use of network interfaces during the boot
- until explicitly enabled, preventing spurious stack output
- stack response to incoming packets. This is appropriate
- for use in environments where the monitoring of packets
- is required, but no traffic may be generated.</para>
- </sect2>
- <sect2 id="mac-policy-lomac">
- <title>Low-Watermark Mandatory Access Control (LOMAC)
- (mac_lomac)</title>
- <indexterm>
- <primary>MAC</primary>
- <secondary>Low-Watermark</secondary>
- </indexterm>
- <indexterm>
- <primary>LOMAC</primary>
- </indexterm>
- <para>Vendor: Network Associates Laboratories</para>
- <para>Module name: mac_lomac.ko</para>
- <para>Kernel option: <literal>MAC_LOMAC</literal></para>
- <para>Similar to the Biba Integrity Policy, the LOMAC
- policy (&man.mac.lomac.4;) relies on the ubiquitous
- labeling of all system objects with integrity labels.
- Unlike Biba, LOMAC permits high integrity subjects to
- read from low integrity objects, but then downgrades the
- label on the subject to prevent future writes to high
- integrity objects. This policy may provide for greater
- compatibility, as well as require less initial
- configuration than Biba. However, as with Biba, it
- ubiquitously labels objects and must therefore be
- compiled into the kernel or loaded at boot.</para>
- </sect2>
-
- <sect2 id="mac-policy-mls">
- <title>Multi-Level Security Policy (MLS) (mac_mls)</title>
- <indexterm>
- <primary>Multi-Level Security Policy</primary>
- </indexterm>
- <indexterm>
- <primary>MAC</primary>
- <secondary>Multi-Level</secondary>
- </indexterm>
-
- <para>Vendor: TrustedBSD Project</para>
- <para>Module name: mac_mls.ko</para>
- <para>Kernel option: <literal>MAC_MLS</literal></para>
- <para>Multi-Level Security (<acronym>MLS</acronym>)
- (&man.mac.mls.4;) provides for hierarchical and non-hierarchical
- labeling of all system objects with sensitivity data, and the
- strict enforcement of an information flow policy to prevent
- the leakage of confidential data to untrusted parties. The
- logical conjugate of the Biba Integrity Policy,
- <acronym>MLS</acronym> is frequently shipped in commercial
- trusted operating systems to protect data secrecy in
- multi-user environments. Hierarchal labels provide support
- for the notion of clearances and classifications in
- traditional parlance; non-hierarchical labels provide support
- for <quote>need-to-know.</quote> As with Biba, ubiquitous
- labeling of objects occurs, and it must therefore be compiled
- into the kernel or loaded at boot. As with Biba, extensive
- initial configuration may be required.</para>
- </sect2>
- <sect2 id="mac-policy-none">
- <title>MAC Stub Policy (mac_none)</title>
- <indexterm>
- <primary>MAC Stub Policy</primary>
- </indexterm>
- <para>Vendor: TrustedBSD Project</para>
- <para>Module name: mac_none.ko</para>
- <para>Kernel option: <literal>MAC_NONE</literal></para>
- <para>The None policy (&man.mac.none.4;) provides a stub
- sample policy for developers, implementing all entry
- points, but not changing the system access control
- policy. Running this on a production system would
- not be highly beneficial.</para>
- </sect2>
- <sect2 id="mac-policy-partition">
- <title>Process Partition Policy (mac_partition)</title>
- <indexterm>
- <primary>Process Partition Policy</primary>
- </indexterm>
- <para>Vendor: TrustedBSD Project</para>
- <para>Module name: mac_partition.ko</para>
- <para>Kernel option: <literal>MAC_PARTITION</literal></para>
- <para>The Partition policy (&man.mac.partition.4;) provides for a
- simple process visibility limitation, assigning labels to
- processes identifying what numeric system partition they
- are present in. If none, all other processes are visible
- using standard monitoring tools; if a partition identifier
- is present, then only other processes in the same
- partition are visible. This policy may be compiled into
- the kernel, loaded at boot, or loaded at run-time.</para>
- </sect2>
- <sect2 id="mac-policy-seeotheruids">
- <title>See Other Uids Policy (mac_seeotheruids)</title>
- <indexterm>
- <primary>See Other Uids Policy</primary>
- </indexterm>
- <para>Vendor: TrustedBSD Project</para>
- <para>Module name: mac_seeotheruids.ko</para>
- <para>Kernel option: <literal>MAC_SEEOTHERUIDS</literal></para>
- <para>The See Other Uids policy (&man.mac.seeotheruids.4;)
- implements a similar process visibility model to
- mac_partition, except that it relies on process credentials to
- control visibility of processes, rather than partition labels.
- This policy may be configured to exempt certain users and
- groups, including permitting system operators to view all
- processes without special privilege. This policy may be
- compiled into the kernel, loaded at boot, or loaded at
- run-time.</para>
- </sect2>
- <sect2 id="mac-policy-test">
- <title>MAC Framework Test Policy (mac_test)</title>
- <indexterm>
- <primary>MAC Framework Test Policy</primary>
- </indexterm>
- <para>Vendor: TrustedBSD Project</para>
- <para>Module name: mac_test.ko</para>
- <para>Kernel option: <literal>MAC_TEST</literal></para>
- <para>The Test policy (&man.mac.test.4;) provides a regression
- test environment for the MAC Framework, and will cause a
- fail-stop in the event that internal MAC Framework assertions
- about proper data labeling fail. This module can be used to
- detect failures to properly label system objects in the kernel
- implementation. This policy may be compiled into the kernel,
- loaded at boot, or loaded at run-time.</para>
- </sect2>
-
- </sect1>
--->
<sect1 xml:id="fs-acl">
<info><title>¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¥¢¥¯¥»¥¹À©¸æ¥ê¥¹¥È</title>
More information about the svn-doc-head
mailing list