[Bug 294167] Handbook Security chapter does not mention "hardening"

Tue, 31 Mar 2026 09:49:24 -0700 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294167

            Bug ID: 294167
           Summary: Handbook Security chapter does not mention "hardening"
           Product: Documentation
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Books & Articles
          Assignee: [email protected]
          Reporter: [email protected]

"Security" (Chapter 16) does not include the keyword "harden" or "hardening".

https://github.com/freebsd/freebsd-doc/blob/main/documentation/content/en/books/handbook/security/_index.adoc
 

"Installing FreeBSD" (Chapter 2) covers hardening options available during
install: 

https://github.com/freebsd/freebsd-doc/blob/main/documentation/content/en/books/handbook/bsdinstall/_index.adoc#85-enabling-hardening-security-options

These options are set by the hardening script:

https://github.com/freebsd/freebsd-src/blob/main/usr.sbin/bsdinstall/scripts/hardening

Logically, system hardening fits the "Security" chapter so the bsdinstall
options should be mentioned. But this is of limited use post-install. While
possible  (albeit undocumented, bug #294148) to do

# bsdinstall hardening

this surely shouldn't be recommended due to limitations of the script (doesn't
show if option already enabled, only writes to config files to enable not
disable, writes repeatedly when run a second time, etc).

Far better would be to explain how to enable - and disable - these hardening
options, and perhaps others, manually. Config (Chapter 14) comes before
Security (Chapter 16) so there's no need to explain "how to edit a config
file", just which edits to make. (Note Config doesn't mention "harden[ing]"
either.) 

https://github.com/freebsd/freebsd-doc/blob/main/documentation/content/en/books/handbook/config/_index.adoc
 

A complete resolution would add a cross-reference in the bsdinstall chapter's
"Enabling Hardening Security Options" section to the relevant part (likely a
new "System Hardening" section) of the Security chapter, for further
information on the hardening options and how to enable/disable post-install.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to