Author: eadler
Date: Sat Jan 13 09:28:43 2018
New Revision: 327915
URL: https://svnweb.freebsd.org/changeset/base/327915
Log:
MFC r324206:
bsdinstall(8) hardening menu: Utilize new kern.randompid=1 behaviour
Enabling the PID randomization option in bsdinstall(8)'s hardening menu
now randomizes the effective value of kern.randompid on each boot.
Previous behaviour:
When kern.randompid was enabled via the the bsdinstall(8) hardening menu,
a random value was generated and placed in the systems /etc/sysctl.conf as
kern.randompid=value
This makes the value of kern.randompid static across reboots.
New behaviour:
When kern.randompid is enabled via the bsdinstall(8) hardening menu, the
line kern.randompid=1 is placed in the systems /etc/sysctl.conf.
This takes advantage of a new kernel feature and makes the value of
kern.randompid be randomized by the kernel on each reboot.
Modified:
stable/11/usr.sbin/bsdinstall/scripts/hardening
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/usr.sbin/bsdinstall/scripts/hardening
==============================================================================
--- stable/11/usr.sbin/bsdinstall/scripts/hardening Sat Jan 13 09:26:24
2018 (r327914)
+++ stable/11/usr.sbin/bsdinstall/scripts/hardening Sat Jan 13 09:28:43
2018 (r327915)
@@ -62,7 +62,7 @@ for feature in $FEATURES; do
echo security.bsd.unprivileged_proc_debug=0 >>
$BSDINSTALL_TMPETC/sysctl.conf.hardening
fi
if [ "$feature" = "random_pid" ]; then
- echo kern.randompid=$(jot -r 1 9999) >>
$BSDINSTALL_TMPETC/sysctl.conf.hardening
+ echo kern.randompid=1 >>
$BSDINSTALL_TMPETC/sysctl.conf.hardening
fi
if [ "$feature" = "stack_guard" ]; then
echo security.bsd.stack_guard_page=1 >>
$BSDINSTALL_TMPETC/sysctl.conf.hardening
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
