On Tue, Feb 21, 2017 at 2:40 PM, Alexey Dokuchaev <da...@freebsd.org> wrote:
> On Tue, Feb 21, 2017 at 08:34:29AM -0600, Eric Badger wrote: > > Thanks for working on making it easier to harden FreeBSD. While > > defaulting some of these options to "on" seem pretty harmless (e.g. > > random_pid), others are likely to cause confusion for new and > > experienced users alike (e.g. proc_debug. I've never used that option > > before, so I gave it a try. It simply causes gdb to hang when attempting > > to start a process, with no obvious indication of why). > > I concur. In fact, harmless knobs should probably be turned on by default > in FreeBSD itself (i.e., without any "hardening" help from the installer), > while more intrusive ones should be opt-in, not opt-out. > > ./danfe > I strongly believe we should, by default, ship as secured and hardened as possible in order to improve overall security of new users installations. Power users will and do change the OS as they please, they most likely don't use bsdinstall in first place, so they're not affected in any way. These options have been around forever, used by a lot of users (once they got to know those even exist) and seem to cause no issues. However, despite that, and numerous discussions and mail threads over the years, we've struggled to enable them and, as you can se, we even struggle to present and make them available via installer. That's bad and I aim to change it :) Kind regards, Bartek Rutkowski _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
