svn commit: r320473 - head/usr.sbin/bsdinstall/scripts

Steve Wills swills at FreeBSD.org
Thu Jun 29 16:39:56 UTC 2017 

Author: swills (ports committer)
Date: Thu Jun 29 16:39:55 2017
New Revision: 320473
URL: https://svnweb.freebsd.org/changeset/base/320473

Log:
  Add hardening menu item for security.bsd.see_jail_proc
  
  Approved by:		allanjude
  Differential Revision:	https://reviews.freebsd.org/D11283

Modified:
  head/usr.sbin/bsdinstall/scripts/hardening

Modified: head/usr.sbin/bsdinstall/scripts/hardening
==============================================================================
--- head/usr.sbin/bsdinstall/scripts/hardening	Thu Jun 29 14:44:17 2017	(r320472)
+++ head/usr.sbin/bsdinstall/scripts/hardening	Thu Jun 29 16:39:55 2017	(r320473)
@@ -38,13 +38,14 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \
     0 0 0 \
 	"0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \
 	"1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \
-	"2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
-	"3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
-	"4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
-	"5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
-	"6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
-	"7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
-	"8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
+	"2 hide_jail" "Hide processes running in jails" ${hide_jail:-off} \
+	"3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
+	"4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
+	"5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
+	"6 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
+	"7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
+	"8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
+	"9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
 2>&1 1>&3 )
 exec 3>&-
 
@@ -54,6 +55,9 @@ for feature in $FEATURES; do
 	fi
 	if [ "$feature" = "hide_gids" ]; then
 		echo security.bsd.see_other_gids=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
+	fi
+	if [ "$feature" = "hide_jail" ]; then
+		echo security.bsd.see_jail_proc=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
 	fi
 	if [ "$feature" = "read_msgbuf" ]; then
 		echo security.bsd.unprivileged_read_msgbuf=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening

More information about the svn-src-head mailing list