On Tue, Feb 21, 2017 at 09:37:34AM +0000, Bartek Rutkowski wrote: > Author: robak (ports committer) > Date: Tue Feb 21 09:37:33 2017 > New Revision: 314036 > URL: https://svnweb.freebsd.org/changeset/base/314036 > > Log: > Enable bsdinstall hardening options by default. > > As discussed previously, in order to introduce new OS hardening > defaults, we've added them to bsdinstall in 'off by default' mode. > It has been there for a while, so the next step is to change them > to 'on by defaul' mode, so that in future we could simply enable > them in base OS.
Please include option "disable all" for simple disable all. > Reviewed by: brd > Approved by: adrian > Differential Revision: https://reviews.freebsd.org/D9641 > > Modified: > head/usr.sbin/bsdinstall/scripts/hardening > > Modified: head/usr.sbin/bsdinstall/scripts/hardening > ============================================================================== > --- head/usr.sbin/bsdinstall/scripts/hardening Tue Feb 21 09:33:21 > 2017 (r314035) > +++ head/usr.sbin/bsdinstall/scripts/hardening Tue Feb 21 09:37:33 > 2017 (r314036) > @@ -36,15 +36,15 @@ FEATURES=$( dialog --backtitle "FreeBSD > --title "System Hardening" --nocancel --separate-output \ > --checklist "Choose system security hardening options:" \ > 0 0 0 \ > - "0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} > \ > - "1 hide_gids" "Hide processes running as other groups" > ${hide_gids:-off} \ > - "2 read_msgbuf" "Disable reading kernel message buffer for unprivileged > users" ${read_msgbuf:-off} \ > - "3 proc_debug" "Disable process debugging facilities for unprivileged > users" ${proc_debug:-off} \ > - "4 random_pid" "Randomize the PID of newly created processes" > ${random_pid:-off} \ > - "5 stack_guard" "Insert stack guard page ahead of the growable > segments" ${stack_guard:-off} \ > - "6 clear_tmp" "Clean the /tmp filesystem on system startup" > ${clear_tmp:-off} \ > - "7 disable_syslogd" "Disable opening Syslogd network socket (disables > remote logging)" ${disable_syslogd:-off} \ > - "8 disable_sendmail" "Disable Sendmail service" > ${disable_sendmail:-off} \ > + "0 hide_uids" "Hide processes running as other users" ${hide_uids:-on} \ > + "1 hide_gids" "Hide processes running as other groups" ${hide_gids:-on} > \ > + "2 read_msgbuf" "Disable reading kernel message buffer for unprivileged > users" ${read_msgbuf:-on} \ > + "3 proc_debug" "Disable process debugging facilities for unprivileged > users" ${proc_debug:-on} \ > + "4 random_pid" "Randomize the PID of newly created processes" > ${random_pid:-on} \ > + "5 stack_guard" "Insert stack guard page ahead of the growable > segments" ${stack_guard:-on} \ > + "6 clear_tmp" "Clean the /tmp filesystem on system startup" > ${clear_tmp:-on} \ > + "7 disable_syslogd" "Disable opening Syslogd network socket (disables > remote logging)" ${disable_syslogd:-on} \ > + "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-on} > \ > 2>&1 1>&3 ) > exec 3>&- > > _______________________________________________ > svn-src-...@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-all > To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org" _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
