svn commit: r314036 - head/usr.sbin/bsdinstall/scripts

[Bryan Drewery]

On 2/22/2017 3:10 PM, Allan Jude wrote:
> On 2017-02-22 15:26, Bryan Drewery wrote:
>> On 2/21/2017 11:07 PM, Joel Dahl wrote:
>>> On Tue, Feb 21, 2017 at 02:40:02PM +0000, Alexey Dokuchaev wrote:
>>>> On Tue, Feb 21, 2017 at 08:34:29AM -0600, Eric Badger wrote:
>>>>> Thanks for working on making it easier to harden FreeBSD. While
>>>>> defaulting some of these options to "on" seem pretty harmless (e.g.
>>>>> random_pid), others are likely to cause confusion for new and
>>>>> experienced users alike (e.g. proc_debug. I've never used that option
>>>>> before, so I gave it a try. It simply causes gdb to hang when attempting
>>>>> to start a process, with no obvious indication of why).
>>>>
>>>> I concur.  In fact, harmless knobs should probably be turned on by default
>>>> in FreeBSD itself (i.e., without any "hardening" help from the installer),
>>>> while more intrusive ones should be opt-in, not opt-out.
>>>
>>> I agree. Can we back this out and discuss it on current@?
>>>
>>
>> I concur.
>> In the original review for adding this I predicted today would come,
>> https://reviews.freebsd.org/D6826.  I still think that it is very
>> under-designed and under-thought out.
>>
>> I personally agree with hardening my system, but I have a number of
>> issues with this approach:
>>
>> 1. It makes *1 installation* method do hardening, while every other
>> installation method, and *upgrade* methods not do hardening.  So someone
>> upgrading from 11.0 to 12.0 won't get hardening, but someone installing
>> from bsdinstall for 12.0 fresh will get it.  There should not be a
>> distinction between our installation/upgrade methods like this.
> 
> I agree with this point, and it was brought up by nwhitehorn in the very
> initial reviews.
> 
> There may be some value in giving these knobs wider testing before
> turning them on, but -current may be a better place to do that.
> 
> Core is soon to announce a more formalized way to discuss and reach
> consensus on these types of changes. robak@ can I ask that you back this
> out for now, and we use that process to determine what the right set of
> knobs to turn on by default is, and which should be up to the user.
> 
>>
>> 2. It ignores that FreeBSD is *generic Operating System* that serves
>> many workflows.  Developers want all of this off, System Administrators
>> want all of it on, and Desktop users may want a compromise of half of it
>> to allow various drivers to work (not pointing at any specific sysctl
>> right now).
>>
>> I think what is really needed is a system profile that lets you pick the
>> workflow you are going to use the system for, and then set some
>> reasonable defaults from there.  We will never all agree on the same
>> defaults because we all are using the systems differently, but we can
>> find some compromise if we make Use Cases, such as a System Profile
>> would entail.
> 
> I think that is a far better approach, but I am not sure what form it
> would take. Maybe we can discuss as a working group at BSDCan or
> EuroBSDCon to hammer out a better system that the wide array of sysctls
> we have.
> 
> Not just for these hardening ones, but even just for sizing things like
> the maximum number of file descriptors, default socket buffer sizes, etc.
> 
> 'Defaults for a web server'
> 'Defaults for a development laptop'
> 'Defaults for a poudriere build box'
> etc.
> 

Yup.  If the base system goes this route then the ports tree might
follow and give different defaults for each profile.  It's hard
technically but agreeing on such an approach and design is the first
step before figuring out the technical hurdles to solve (speaking of
multiple package sets problem).

>>
>> I too would like to see this backed out.
>>
> 
> 


-- 
Regards,
Bryan Drewery

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20170222/269ab6ab/attachment.sig>