svn commit: r314036 - head/usr.sbin/bsdinstall/scripts
Eric Badger
badger at FreeBSD.org
Tue Feb 21 14:34:39 UTC 2017
On 02/21/2017 03:37 AM, Bartek Rutkowski wrote:
> Author: robak (ports committer)
> Date: Tue Feb 21 09:37:33 2017
> New Revision: 314036
> URL: https://svnweb.freebsd.org/changeset/base/314036
>
> Log:
> Enable bsdinstall hardening options by default.
>
> As discussed previously, in order to introduce new OS hardening
> defaults, we've added them to bsdinstall in 'off by default' mode.
> It has been there for a while, so the next step is to change them
> to 'on by defaul' mode, so that in future we could simply enable
> them in base OS.
>
> Reviewed by: brd
> Approved by: adrian
> Differential Revision: https://reviews.freebsd.org/D9641
>
> Modified:
> head/usr.sbin/bsdinstall/scripts/hardening
>
> Modified: head/usr.sbin/bsdinstall/scripts/hardening
> ==============================================================================
> --- head/usr.sbin/bsdinstall/scripts/hardening Tue Feb 21 09:33:21 2017 (r314035)
> +++ head/usr.sbin/bsdinstall/scripts/hardening Tue Feb 21 09:37:33 2017 (r314036)
> @@ -36,15 +36,15 @@ FEATURES=$( dialog --backtitle "FreeBSD
> --title "System Hardening" --nocancel --separate-output \
> --checklist "Choose system security hardening options:" \
> 0 0 0 \
> - "0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \
> - "1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \
> - "2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
> - "3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
> - "4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
> - "5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
> - "6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
> - "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
> - "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
> + "0 hide_uids" "Hide processes running as other users" ${hide_uids:-on} \
> + "1 hide_gids" "Hide processes running as other groups" ${hide_gids:-on} \
> + "2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-on} \
> + "3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-on} \
> + "4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-on} \
> + "5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-on} \
> + "6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-on} \
> + "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-on} \
> + "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-on} \
> 2>&1 1>&3 )
> exec 3>&-
>
>
Hi Bartek,
Thanks for working on making it easier to harden FreeBSD. While
defaulting some of these options to "on" seem pretty harmless (e.g.
random_pid), others are likely to cause confusion for new and
experienced users alike (e.g. proc_debug. I've never used that option
before, so I gave it a try. It simply causes gdb to hang when attempting
to start a process, with no obvious indication of why). I think more
discussion is merited before they are turned on by default; personally I
think they have potential to sour a first impression of FreeBSD by
making things people are used to doing on other OSes hard.
Eric
More information about the svn-src-head
mailing list