scripts

Dag-Erling Smørgrav Fri, 21 Sep 2018 02:28:22 -0700

Author: des
Date: Fri Sep 21 09:27:32 2018
New Revision: 338852
URL: https://svnweb.freebsd.org/changeset/base/338852


Log:
  Add an installer option to disable destructive dtrace.
  
  Submitted by:         Jörg Pernfuß <[email protected]>
  Approved by:          re (kib)
  MFC after:            1 week
  Differential Revision:        https://reviews.freebsd.org/D12474

Modified:
  head/usr.sbin/bsdinstall/scripts/hardening

Modified: head/usr.sbin/bsdinstall/scripts/hardening
==============================================================================
--- head/usr.sbin/bsdinstall/scripts/hardening  Fri Sep 21 07:36:02 2018        
(r338851)
+++ head/usr.sbin/bsdinstall/scripts/hardening  Fri Sep 21 09:27:32 2018        
(r338852)
@@ -30,6 +30,7 @@
 
 echo -n > $BSDINSTALL_TMPETC/rc.conf.hardening
 echo -n > $BSDINSTALL_TMPETC/sysctl.conf.hardening
+echo -n > $BSDINSTALL_TMPBOOT/loader.conf.hardening
 
 exec 3>&1
 FEATURES=$( dialog --backtitle "FreeBSD Installer" \
@@ -46,6 +47,7 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \
        "7 disable_syslogd" "Disable opening Syslogd network socket (disables 
remote logging)" ${disable_syslogd:-off} \
        "8 disable_sendmail" "Disable Sendmail service" 
${disable_sendmail:-off} \
        "9 secure_console" "Enable console password prompt" 
${secure_console:-off} \
+       "10 disable_ddtrace" "Disallow DTrace destructive-mode" 
${disable_ddtrace:-off} \
 2>&1 1>&3 )
 exec 3>&-
 
@@ -79,6 +81,9 @@ for feature in $FEATURES; do
        fi
        if [ "$feature" = "secure_console" ]; then
                sed "s/unknown  off secure/unknown      off insecure/g" 
$BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening
+       fi
+       if [ "$feature" = "disable_ddtrace" ]; then
+               echo 'security.bsd.allow_destructive_dtrace=0' >> 
$BSDINSTALL_TMPBOOT/loader.conf.hardening
        fi
 done
 
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "[email protected]"

svn commit: r338852 - head/usr.sbin/bsdinstall/scripts

Reply via email to