On 02/21/2017 03:37 AM, Bartek Rutkowski wrote:
Author: robak (ports committer)
Date: Tue Feb 21 09:37:33 2017
New Revision: 314036
URL: https://svnweb.freebsd.org/changeset/base/314036
Log:
Enable bsdinstall hardening options by default.
As discussed previously, in order to introduce new OS hardening
defaults, we've added them to bsdinstall in 'off by default' mode.
It has been there for a while, so the next step is to change them
to 'on by defaul' mode, so that in future we could simply enable
them in base OS.
Reviewed by: brd
Approved by: adrian
Differential Revision: https://reviews.freebsd.org/D9641
Modified:
head/usr.sbin/bsdinstall/scripts/hardening
Modified: head/usr.sbin/bsdinstall/scripts/hardening
==============================================================================
--- head/usr.sbin/bsdinstall/scripts/hardening Tue Feb 21 09:33:21 2017
(r314035)
+++ head/usr.sbin/bsdinstall/scripts/hardening Tue Feb 21 09:37:33 2017
(r314036)
@@ -36,15 +36,15 @@ FEATURES=$( dialog --backtitle "FreeBSD
--title "System Hardening" --nocancel --separate-output \
--checklist "Choose system security hardening options:" \
0 0 0 \
- "0 hide_uids" "Hide processes running as other users" ${hide_uids:-off}
\
- "1 hide_gids" "Hide processes running as other groups"
${hide_gids:-off} \
- "2 read_msgbuf" "Disable reading kernel message buffer for unprivileged
users" ${read_msgbuf:-off} \
- "3 proc_debug" "Disable process debugging facilities for unprivileged
users" ${proc_debug:-off} \
- "4 random_pid" "Randomize the PID of newly created processes"
${random_pid:-off} \
- "5 stack_guard" "Insert stack guard page ahead of the growable
segments" ${stack_guard:-off} \
- "6 clear_tmp" "Clean the /tmp filesystem on system startup"
${clear_tmp:-off} \
- "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote
logging)" ${disable_syslogd:-off} \
- "8 disable_sendmail" "Disable Sendmail service"
${disable_sendmail:-off} \
+ "0 hide_uids" "Hide processes running as other users" ${hide_uids:-on} \
+ "1 hide_gids" "Hide processes running as other groups" ${hide_gids:-on}
\
+ "2 read_msgbuf" "Disable reading kernel message buffer for unprivileged
users" ${read_msgbuf:-on} \
+ "3 proc_debug" "Disable process debugging facilities for unprivileged
users" ${proc_debug:-on} \
+ "4 random_pid" "Randomize the PID of newly created processes"
${random_pid:-on} \
+ "5 stack_guard" "Insert stack guard page ahead of the growable
segments" ${stack_guard:-on} \
+ "6 clear_tmp" "Clean the /tmp filesystem on system startup"
${clear_tmp:-on} \
+ "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote
logging)" ${disable_syslogd:-on} \
+ "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-on}
\
2>&1 1>&3 )
exec 3>&-
Hi Bartek,
Thanks for working on making it easier to harden FreeBSD. While
defaulting some of these options to "on" seem pretty harmless (e.g.
random_pid), others are likely to cause confusion for new and
experienced users alike (e.g. proc_debug. I've never used that option
before, so I gave it a try. It simply causes gdb to hang when attempting
to start a process, with no obvious indication of why). I think more
discussion is merited before they are turned on by default; personally I
think they have potential to sour a first impression of FreeBSD by
making things people are used to doing on other OSes hard.
Eric
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
