svn commit: r314036 - head/usr.sbin/bsdinstall/scripts

Tue Feb 21 14:34:39 UTC 2017

On 02/21/2017 03:37 AM, Bartek Rutkowski wrote:
> Author: robak (ports committer)
> Date: Tue Feb 21 09:37:33 2017
> New Revision: 314036
> URL: https://svnweb.freebsd.org/changeset/base/314036
>
> Log:
>   Enable bsdinstall hardening options by default.
>
>   As discussed previously, in order to introduce new OS hardening
>   defaults, we've added them to bsdinstall in 'off by default' mode.
>   It has been there for a while, so the next step is to change them
>   to 'on by defaul' mode, so that in future we could simply enable
>   them in base OS.
>
>   Reviewed by:	brd
>   Approved by:	adrian
>   Differential Revision:	https://reviews.freebsd.org/D9641
>
> Modified:
>   head/usr.sbin/bsdinstall/scripts/hardening
>
> Modified: head/usr.sbin/bsdinstall/scripts/hardening
> ==============================================================================
> --- head/usr.sbin/bsdinstall/scripts/hardening	Tue Feb 21 09:33:21 2017	(r314035)
> +++ head/usr.sbin/bsdinstall/scripts/hardening	Tue Feb 21 09:37:33 2017	(r314036)
> @@ -36,15 +36,15 @@ FEATURES=$( dialog --backtitle "FreeBSD
>      --title "System Hardening" --nocancel --separate-output \
>      --checklist "Choose system security hardening options:" \
>      0 0 0 \
> -	"0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \
> -	"1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \
> -	"2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
> -	"3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
> -	"4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
> -	"5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
> -	"6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
> -	"7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
> -	"8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
> +	"0 hide_uids" "Hide processes running as other users" ${hide_uids:-on} \
> +	"1 hide_gids" "Hide processes running as other groups" ${hide_gids:-on} \
> +	"2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-on} \
> +	"3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-on} \
> +	"4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-on} \
> +	"5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-on} \
> +	"6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-on} \
> +	"7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-on} \
> +	"8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-on} \
>  2>&1 1>&3 )
>  exec 3>&-
>
>

Hi Bartek,

Thanks for working on making it easier to harden FreeBSD. While 
defaulting some of these options to "on" seem pretty harmless (e.g. 
random_pid), others are likely to cause confusion for new and 
experienced users alike (e.g. proc_debug. I've never used that option 
before, so I gave it a try. It simply causes gdb to hang when attempting 
to start a process, with no obvious indication of why). I think more 
discussion is merited before they are turned on by default; personally I 
think they have potential to sour a first impression of FreeBSD by 
making things people are used to doing on other OSes hard.

Eric