svn commit: r53958 - in head: en_US.ISO8859-1/books/handbook en_US.ISO8859-1/books/handbook/bsdinstall share/images/books/handbook/bsdinstall

Sergio Carlavilla Delgado carlavilla at FreeBSD.org
Sun Mar 8 10:39:32 UTC 2020 

Author: carlavilla
Date: Sun Mar  8 10:39:30 2020
New Revision: 53958
URL: https://svnweb.freebsd.org/changeset/doc/53958

Log:
  Add the hardening section to the handbook
  
  Submitted by:	carlavilla@
  Approved by:	bcr@
  Differential Revision:	https://reviews.freebsd.org/D23996

Added:
  head/share/images/books/handbook/bsdinstall/bsdinstall-hardening.png   (contents, props changed)
Modified:
  head/en_US.ISO8859-1/books/handbook/Makefile
  head/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml
  head/share/images/books/handbook/bsdinstall/bsdinstall-finalconfiguration.png

Modified: head/en_US.ISO8859-1/books/handbook/Makefile
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/Makefile	Sat Mar  7 20:37:19 2020	(r53957)
+++ head/en_US.ISO8859-1/books/handbook/Makefile	Sun Mar  8 10:39:30 2020	(r53958)
@@ -64,6 +64,7 @@ IMAGES_EN+= bsdinstall/bsdinstall-distfile-verifying.p
 IMAGES_EN+= bsdinstall/bsdinstall-final-confirmation.png
 IMAGES_EN+= bsdinstall/bsdinstall-finalconfiguration.png
 IMAGES_EN+= bsdinstall/bsdinstall-final-modification-shell.png
+IMAGES_EN+= bsdinstall/bsdinstall-hardening.png
 IMAGES_EN+= bsdinstall/bsdinstall-keymap-10.png
 IMAGES_EN+= bsdinstall/bsdinstall-keymap-loading.png
 IMAGES_EN+= bsdinstall/bsdinstall-keymap-select-default.png

Modified: head/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml	Sat Mar  7 20:37:19 2020	(r53957)
+++ head/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml	Sun Mar  8 10:39:30 2020	(r53958)
@@ -939,7 +939,7 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</s
 	</mediaobject>
       </figure>
 
-      <para>After the keymaps have been loaded <application>bsdinstall</application> displays the
+      <para>After the keymaps have been loaded bsdinstall displays the
 	menu shown in <xref linkend="bsdinstall-keymap-10"/>.  Use the
 	up and down arrows to select the keymap that most closely
 	represents the mapping of the keyboard attached to the system.
@@ -2308,7 +2308,7 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</s
 	  <para><literal>ntpdate</literal> - Enable the automatic
 	    clock synchronization at boot time.  The functionality of
 	    this program is now available in the ntpd daemon.  After a
-	    suitable period of mourning, the &man.ntpd.8; utility will
+	    suitable period of mourning, the &man.ntpdate.8; utility will
 	    be retired.</para>
 	</listitem>
 
@@ -2332,7 +2332,113 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</s
 	</listitem>
 	</itemizedlist>
     </sect2>
+    
+    <sect2 xml:id="bsdinstall-hardening">
+      <title>Enabling Hardening Security Options</title>
 
+      <para>The next menu is used to configure which security
+	options will be enabled.  All of these options are optional.
+	But their use is encouraged.</para>
+
+      <figure xml:id="bsdinstall-hardening-options">
+	<title>Selecting Hardening Security Options</title>
+
+	<mediaobject>
+	  <imageobject>
+	    <imagedata fileref="bsdinstall/bsdinstall-hardening"/>
+	  </imageobject>
+	</mediaobject>
+      </figure>
+
+      <para>Here is a summary of the options which can be enabled in
+	this menu:</para>
+
+      <itemizedlist>
+	<listitem>
+	  <para><literal>hide_uids</literal> - Hide processes running
+	    as other users to prevent the unprivileged users to see
+	    other running processes in execution by other users (UID)
+	    preventing information leakage.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>hide_gids</literal> - Hide processes running
+	    as other groups to prevent the unprivileged users to see
+	    other running processes in execution by other groups (GID)
+	    preventing information leakage.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>hide_jail</literal> - Hide processes running
+	    in jails to prevent the unprivileged users to see
+	    processes running inside the jails.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>read_msgbuf</literal> - Disabling reading
+	    kernel message buffer for unprivileged users prevent from
+	    using &man.dmesg.8; to view messages from the kernel's log
+	    buffer.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>proc_debug</literal> - Disabling process
+	    debugging facilities for unprivileged users disables
+	    a variety of unprivileged inter-process debugging
+	    services, including some procfs functionality, ptrace(),
+	    and ktrace().  Please note that this will also prevent
+	    debugging tools, for instance &man.lldb.1;, &man.truss.1;,
+	    &man.procstat.1;, as well as some built-in debugging
+	    facilities in certain scripting language like PHP, etc.,
+	    from working for unprivileged users.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>random_pid</literal> - Randomize the PID of
+	    newly created processes.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>clear_tmp</literal> - Clean
+	    <filename>/tmp</filename> when the system starts
+	    up.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>disable_syslogd</literal> - Disable opening
+	    <application>syslogd</application> network socket.  By
+	    default &os; runs <application>syslogd</application> in a
+	    secure way with <command>-s</command>.  That prevents the
+	    daemon from listening for incoming UDP requests
+	    at port 514.  With this option enabled
+	    <application>syslogd</application> will run with the flag
+	    <command>-ss</command> which prevents
+	    <application>syslogd</application> from opening any port.
+	    To get more information consult &man.syslogd.8;.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>disable_sendmail</literal> - Disable the
+	    sendmail mail transport agent.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>secure_console</literal> - When this option
+	    is enabled, the prompt requests the root password when 
+	    entering single.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>disable_ddtrace</literal> - &dtrace; can run
+	    in a mode that will actually affect the running kernel.
+	    Destructive actions may not be used unless they have
+	    been explicitly enabled.  To enable this option when using
+	    &dtrace; use <command>-w</command>.  To get more
+	    information consult &man.dtrace.1;.</para>
+	</listitem>
+      </itemizedlist>
+    </sect2>
+
     <sect2 xml:id="bsdinstall-addusers">
       <title>Add Users</title>
 
@@ -2536,6 +2642,11 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</s
 	<listitem>
 	  <para><literal>Services</literal> - Described in <xref
 	      linkend="bsdinstall-sysconf"/>.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>System Hardening</literal> - Described in
+	      <xref linkend="bsdinstall-hardening"/>.</para>
 	</listitem>
 
 	<listitem>

Modified: head/share/images/books/handbook/bsdinstall/bsdinstall-finalconfiguration.png
==============================================================================
Binary file (source and/or target). No diff available.

Added: head/share/images/books/handbook/bsdinstall/bsdinstall-hardening.png
==============================================================================
Binary file. No diff available.

More information about the svn-doc-all mailing list