On 05/07/17 10:37, Bartek Rutkowski wrote: > Author: robak (ports committer) > Date: Wed Jul 5 13:37:27 2017 > New Revision: 320674 > URL: https://svnweb.freebsd.org/changeset/base/320674 > > Log: > Add option to bsdinstall to disable insecure console, update stack guard > option > > This patch adds new bsdinstall option to hardening section that allows users > to change this behaviour to secure one and updates stack guard option so it > would set the value of relevant sysctl to 512 (2MB) > > Submitted by: Bartek Rutkowski > Reviewed by: adrian, bapt, emaste > Approved by: bapt, emaste > MFC after: 1 day > Sponsored by: Pixeware LTD > Differential Revision: https://reviews.freebsd.org/D9700 > > Modified: > head/usr.sbin/bsdinstall/scripts/config > head/usr.sbin/bsdinstall/scripts/hardening > > Modified: head/usr.sbin/bsdinstall/scripts/config > ============================================================================== > --- head/usr.sbin/bsdinstall/scripts/config Wed Jul 5 13:13:38 2017 > (r320673) > +++ head/usr.sbin/bsdinstall/scripts/config Wed Jul 5 13:37:27 2017 > (r320674) > @@ -35,6 +35,11 @@ rm $BSDINSTALL_TMPETC/rc.conf.* > cat $BSDINSTALL_CHROOT/etc/sysctl.conf $BSDINSTALL_TMPETC/sysctl.conf.* >> > $BSDINSTALL_TMPETC/sysctl.conf > rm $BSDINSTALL_TMPETC/sysctl.conf.* > > +if [ -f $BSDINSTALL_TMPTEC/ttys.hardening ]; then > + cat $BSDINSTALL_TMPTEC/ttys.hardening > $BSDINSTALL_TMPTEC/ttys > + rm $BSDINSTALL_TMPTEC/ttys.hardening > +fi > + > cp $BSDINSTALL_TMPETC/* $BSDINSTALL_CHROOT/etc > > cat $BSDINSTALL_TMPBOOT/loader.conf.* >> $BSDINSTALL_TMPBOOT/loader.conf > > Modified: head/usr.sbin/bsdinstall/scripts/hardening > ============================================================================== > --- head/usr.sbin/bsdinstall/scripts/hardening Wed Jul 5 13:13:38 > 2017 (r320673) > +++ head/usr.sbin/bsdinstall/scripts/hardening Wed Jul 5 13:37:27 > 2017 (r320674) > @@ -42,10 +42,11 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \ > "3 read_msgbuf" "Disable reading kernel message buffer for unprivileged > users" ${read_msgbuf:-off} \ > "4 proc_debug" "Disable process debugging facilities for unprivileged > users" ${proc_debug:-off} \ > "5 random_pid" "Randomize the PID of newly created processes" > ${random_pid:-off} \ > - "6 stack_guard" "Insert stack guard page ahead of the growable > segments" ${stack_guard:-off} \ > + "6 stack_guard" "Set stack guard buffer size to 2MB" > ${stack_guard:-off} \ > "7 clear_tmp" "Clean the /tmp filesystem on system startup" > ${clear_tmp:-off} \ > "8 disable_syslogd" "Disable opening Syslogd network socket (disables > remote logging)" ${disable_syslogd:-off} \ > "9 disable_sendmail" "Disable Sendmail service" > ${disable_sendmail:-off} \ > + "9 secure_console" "Enable console password prompt" > ${secure_console:-off} \
There are two options '9' now -- Renato Botelho _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
