svn commit: r320674 - head/usr.sbin/bsdinstall/scripts

[Bartek Rutkowski]

Author: robak (ports committer)
Date: Wed Jul  5 13:37:27 2017
New Revision: 320674
URL: https://svnweb.freebsd.org/changeset/base/320674

Log:
  Add option to bsdinstall to disable insecure console, update stack guard option
  
  This patch adds new bsdinstall option to hardening section that allows users
  to change this behaviour to secure one and updates stack guard option so it
  would set the value of relevant sysctl to 512 (2MB)
  
  Submitted by:	Bartek Rutkowski
  Reviewed by:	adrian, bapt, emaste
  Approved by:	bapt, emaste
  MFC after:	1 day
  Sponsored by:	Pixeware LTD
  Differential Revision:	https://reviews.freebsd.org/D9700

Modified:
  head/usr.sbin/bsdinstall/scripts/config
  head/usr.sbin/bsdinstall/scripts/hardening

Modified: head/usr.sbin/bsdinstall/scripts/config
==============================================================================
--- head/usr.sbin/bsdinstall/scripts/config	Wed Jul  5 13:13:38 2017	(r320673)
+++ head/usr.sbin/bsdinstall/scripts/config	Wed Jul  5 13:37:27 2017	(r320674)
@@ -35,6 +35,11 @@ rm $BSDINSTALL_TMPETC/rc.conf.*
 cat $BSDINSTALL_CHROOT/etc/sysctl.conf $BSDINSTALL_TMPETC/sysctl.conf.* >> $BSDINSTALL_TMPETC/sysctl.conf
 rm $BSDINSTALL_TMPETC/sysctl.conf.*
 
+if [ -f $BSDINSTALL_TMPTEC/ttys.hardening ]; then
+	cat $BSDINSTALL_TMPTEC/ttys.hardening > $BSDINSTALL_TMPTEC/ttys
+	rm $BSDINSTALL_TMPTEC/ttys.hardening
+fi
+
 cp $BSDINSTALL_TMPETC/* $BSDINSTALL_CHROOT/etc
 
 cat $BSDINSTALL_TMPBOOT/loader.conf.* >> $BSDINSTALL_TMPBOOT/loader.conf

Modified: head/usr.sbin/bsdinstall/scripts/hardening
==============================================================================
--- head/usr.sbin/bsdinstall/scripts/hardening	Wed Jul  5 13:13:38 2017	(r320673)
+++ head/usr.sbin/bsdinstall/scripts/hardening	Wed Jul  5 13:37:27 2017	(r320674)
@@ -42,10 +42,11 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \
 	"3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
 	"4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
 	"5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
-	"6 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
+	"6 stack_guard" "Set stack guard buffer size to 2MB" ${stack_guard:-off} \
 	"7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
 	"8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
 	"9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
+	"9 secure_console" "Enable console password prompt" ${secure_console:-off} \
 2>&1 1>&3 )
 exec 3>&-
 
@@ -69,7 +70,7 @@ for feature in $FEATURES; do
 		echo kern.randompid=$(jot -r 1 9999) >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
 	fi
 	if [ "$feature" = "stack_guard" ]; then
-		echo security.bsd.stack_guard_page=1 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
+		echo security.bsd.stack_guard_page=512 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
 	fi
 	if [ "$feature" = "clear_tmp" ]; then
 		echo 'clear_tmp_enable="YES"' >> $BSDINSTALL_TMPETC/rc.conf.hardening
@@ -79,6 +80,9 @@ for feature in $FEATURES; do
 	fi
 	if [ "$feature" = "disable_sendmail" ]; then
 		echo 'sendmail_enable="NONE"' >> $BSDINSTALL_TMPETC/rc.conf.hardening
+	fi
+	if [ "$feature" = "secure_console" ]; then
+		sed "s/unknown	off secure/unknown	off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening
 	fi
 done