svn commit: r320674 - head/usr.sbin/bsdinstall/scripts
Bartek Rutkowski
robak at FreeBSD.org
Wed Jul 5 13:37:28 UTC 2017
Author: robak (ports committer)
Date: Wed Jul 5 13:37:27 2017
New Revision: 320674
URL: https://svnweb.freebsd.org/changeset/base/320674
Log:
Add option to bsdinstall to disable insecure console, update stack guard option
This patch adds new bsdinstall option to hardening section that allows users
to change this behaviour to secure one and updates stack guard option so it
would set the value of relevant sysctl to 512 (2MB)
Submitted by: Bartek Rutkowski
Reviewed by: adrian, bapt, emaste
Approved by: bapt, emaste
MFC after: 1 day
Sponsored by: Pixeware LTD
Differential Revision: https://reviews.freebsd.org/D9700
Modified:
head/usr.sbin/bsdinstall/scripts/config
head/usr.sbin/bsdinstall/scripts/hardening
Modified: head/usr.sbin/bsdinstall/scripts/config
==============================================================================
--- head/usr.sbin/bsdinstall/scripts/config Wed Jul 5 13:13:38 2017 (r320673)
+++ head/usr.sbin/bsdinstall/scripts/config Wed Jul 5 13:37:27 2017 (r320674)
@@ -35,6 +35,11 @@ rm $BSDINSTALL_TMPETC/rc.conf.*
cat $BSDINSTALL_CHROOT/etc/sysctl.conf $BSDINSTALL_TMPETC/sysctl.conf.* >> $BSDINSTALL_TMPETC/sysctl.conf
rm $BSDINSTALL_TMPETC/sysctl.conf.*
+if [ -f $BSDINSTALL_TMPTEC/ttys.hardening ]; then
+ cat $BSDINSTALL_TMPTEC/ttys.hardening > $BSDINSTALL_TMPTEC/ttys
+ rm $BSDINSTALL_TMPTEC/ttys.hardening
+fi
+
cp $BSDINSTALL_TMPETC/* $BSDINSTALL_CHROOT/etc
cat $BSDINSTALL_TMPBOOT/loader.conf.* >> $BSDINSTALL_TMPBOOT/loader.conf
Modified: head/usr.sbin/bsdinstall/scripts/hardening
==============================================================================
--- head/usr.sbin/bsdinstall/scripts/hardening Wed Jul 5 13:13:38 2017 (r320673)
+++ head/usr.sbin/bsdinstall/scripts/hardening Wed Jul 5 13:37:27 2017 (r320674)
@@ -42,10 +42,11 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \
"3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
"4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
"5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
- "6 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
+ "6 stack_guard" "Set stack guard buffer size to 2MB" ${stack_guard:-off} \
"7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
"8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
"9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
+ "9 secure_console" "Enable console password prompt" ${secure_console:-off} \
2>&1 1>&3 )
exec 3>&-
@@ -69,7 +70,7 @@ for feature in $FEATURES; do
echo kern.randompid=$(jot -r 1 9999) >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
fi
if [ "$feature" = "stack_guard" ]; then
- echo security.bsd.stack_guard_page=1 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
+ echo security.bsd.stack_guard_page=512 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
fi
if [ "$feature" = "clear_tmp" ]; then
echo 'clear_tmp_enable="YES"' >> $BSDINSTALL_TMPETC/rc.conf.hardening
@@ -79,6 +80,9 @@ for feature in $FEATURES; do
fi
if [ "$feature" = "disable_sendmail" ]; then
echo 'sendmail_enable="NONE"' >> $BSDINSTALL_TMPETC/rc.conf.hardening
+ fi
+ if [ "$feature" = "secure_console" ]; then
+ sed "s/unknown off secure/unknown off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening
fi
done
More information about the svn-src-all
mailing list