svn commit: r320473 - head/usr.sbin/bsdinstall/scripts
Steve Wills
swills at FreeBSD.org
Thu Jun 29 16:39:56 UTC 2017
Author: swills (ports committer)
Date: Thu Jun 29 16:39:55 2017
New Revision: 320473
URL: https://svnweb.freebsd.org/changeset/base/320473
Log:
Add hardening menu item for security.bsd.see_jail_proc
Approved by: allanjude
Differential Revision: https://reviews.freebsd.org/D11283
Modified:
head/usr.sbin/bsdinstall/scripts/hardening
Modified: head/usr.sbin/bsdinstall/scripts/hardening
==============================================================================
--- head/usr.sbin/bsdinstall/scripts/hardening Thu Jun 29 14:44:17 2017 (r320472)
+++ head/usr.sbin/bsdinstall/scripts/hardening Thu Jun 29 16:39:55 2017 (r320473)
@@ -38,13 +38,14 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \
0 0 0 \
"0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \
"1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \
- "2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
- "3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
- "4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
- "5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
- "6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
- "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
- "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
+ "2 hide_jail" "Hide processes running in jails" ${hide_jail:-off} \
+ "3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
+ "4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
+ "5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
+ "6 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
+ "7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
+ "8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
+ "9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
2>&1 1>&3 )
exec 3>&-
@@ -54,6 +55,9 @@ for feature in $FEATURES; do
fi
if [ "$feature" = "hide_gids" ]; then
echo security.bsd.see_other_gids=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
+ fi
+ if [ "$feature" = "hide_jail" ]; then
+ echo security.bsd.see_jail_proc=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
fi
if [ "$feature" = "read_msgbuf" ]; then
echo security.bsd.unprivileged_read_msgbuf=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
More information about the svn-src-head
mailing list