Author: robak (ports committer) Date: Wed Jul 5 13:37:27 2017 New Revision: 320674 URL: https://svnweb.freebsd.org/changeset/base/320674
Log: Add option to bsdinstall to disable insecure console, update stack guard option This patch adds new bsdinstall option to hardening section that allows users to change this behaviour to secure one and updates stack guard option so it would set the value of relevant sysctl to 512 (2MB) Submitted by: Bartek Rutkowski Reviewed by: adrian, bapt, emaste Approved by: bapt, emaste MFC after: 1 day Sponsored by: Pixeware LTD Differential Revision: https://reviews.freebsd.org/D9700 Modified: head/usr.sbin/bsdinstall/scripts/config head/usr.sbin/bsdinstall/scripts/hardening Modified: head/usr.sbin/bsdinstall/scripts/config ============================================================================== --- head/usr.sbin/bsdinstall/scripts/config Wed Jul 5 13:13:38 2017 (r320673) +++ head/usr.sbin/bsdinstall/scripts/config Wed Jul 5 13:37:27 2017 (r320674) @@ -35,6 +35,11 @@ rm $BSDINSTALL_TMPETC/rc.conf.* cat $BSDINSTALL_CHROOT/etc/sysctl.conf $BSDINSTALL_TMPETC/sysctl.conf.* >> $BSDINSTALL_TMPETC/sysctl.conf rm $BSDINSTALL_TMPETC/sysctl.conf.* +if [ -f $BSDINSTALL_TMPTEC/ttys.hardening ]; then + cat $BSDINSTALL_TMPTEC/ttys.hardening > $BSDINSTALL_TMPTEC/ttys + rm $BSDINSTALL_TMPTEC/ttys.hardening +fi + cp $BSDINSTALL_TMPETC/* $BSDINSTALL_CHROOT/etc cat $BSDINSTALL_TMPBOOT/loader.conf.* >> $BSDINSTALL_TMPBOOT/loader.conf Modified: head/usr.sbin/bsdinstall/scripts/hardening ============================================================================== --- head/usr.sbin/bsdinstall/scripts/hardening Wed Jul 5 13:13:38 2017 (r320673) +++ head/usr.sbin/bsdinstall/scripts/hardening Wed Jul 5 13:37:27 2017 (r320674) @@ -42,10 +42,11 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \ "3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ "4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ "5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ - "6 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \ + "6 stack_guard" "Set stack guard buffer size to 2MB" ${stack_guard:-off} \ "7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ "8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ "9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ + "9 secure_console" "Enable console password prompt" ${secure_console:-off} \ 2>&1 1>&3 ) exec 3>&- @@ -69,7 +70,7 @@ for feature in $FEATURES; do echo kern.randompid=$(jot -r 1 9999) >> $BSDINSTALL_TMPETC/sysctl.conf.hardening fi if [ "$feature" = "stack_guard" ]; then - echo security.bsd.stack_guard_page=1 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening + echo security.bsd.stack_guard_page=512 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening fi if [ "$feature" = "clear_tmp" ]; then echo 'clear_tmp_enable="YES"' >> $BSDINSTALL_TMPETC/rc.conf.hardening @@ -79,6 +80,9 @@ for feature in $FEATURES; do fi if [ "$feature" = "disable_sendmail" ]; then echo 'sendmail_enable="NONE"' >> $BSDINSTALL_TMPETC/rc.conf.hardening + fi + if [ "$feature" = "secure_console" ]; then + sed "s/unknown off secure/unknown off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening fi done _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"