svn commit: r314036 - head/usr.sbin/bsdinstall/scripts

Bartek Rutkowski robak at FreeBSD.org
Tue Feb 21 09:37:35 UTC 2017 

Author: robak (ports committer)
Date: Tue Feb 21 09:37:33 2017
New Revision: 314036
URL: https://svnweb.freebsd.org/changeset/base/314036

Log:
  Enable bsdinstall hardening options by default.
  
  As discussed previously, in order to introduce new OS hardening
  defaults, we've added them to bsdinstall in 'off by default' mode.
  It has been there for a while, so the next step is to change them
  to 'on by defaul' mode, so that in future we could simply enable
  them in base OS.
  
  Reviewed by:	brd
  Approved by:	adrian
  Differential Revision:	https://reviews.freebsd.org/D9641

Modified:
  head/usr.sbin/bsdinstall/scripts/hardening

Modified: head/usr.sbin/bsdinstall/scripts/hardening
==============================================================================
--- head/usr.sbin/bsdinstall/scripts/hardening	Tue Feb 21 09:33:21 2017	(r314035)
+++ head/usr.sbin/bsdinstall/scripts/hardening	Tue Feb 21 09:37:33 2017	(r314036)
@@ -36,15 +36,15 @@ FEATURES=$( dialog --backtitle "FreeBSD 
     --title "System Hardening" --nocancel --separate-output \
     --checklist "Choose system security hardening options:" \
     0 0 0 \
-	"0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \
-	"1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \
-	"2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
-	"3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
-	"4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
-	"5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
-	"6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
-	"7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
-	"8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
+	"0 hide_uids" "Hide processes running as other users" ${hide_uids:-on} \
+	"1 hide_gids" "Hide processes running as other groups" ${hide_gids:-on} \
+	"2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-on} \
+	"3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-on} \
+	"4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-on} \
+	"5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-on} \
+	"6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-on} \
+	"7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-on} \
+	"8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-on} \
 2>&1 1>&3 )
 exec 3>&-

More information about the svn-src-head mailing list