Author: robak (ports committer) Date: Tue Feb 21 09:37:33 2017 New Revision: 314036 URL: https://svnweb.freebsd.org/changeset/base/314036
Log: Enable bsdinstall hardening options by default. As discussed previously, in order to introduce new OS hardening defaults, we've added them to bsdinstall in 'off by default' mode. It has been there for a while, so the next step is to change them to 'on by defaul' mode, so that in future we could simply enable them in base OS. Reviewed by: brd Approved by: adrian Differential Revision: https://reviews.freebsd.org/D9641 Modified: head/usr.sbin/bsdinstall/scripts/hardening Modified: head/usr.sbin/bsdinstall/scripts/hardening ============================================================================== --- head/usr.sbin/bsdinstall/scripts/hardening Tue Feb 21 09:33:21 2017 (r314035) +++ head/usr.sbin/bsdinstall/scripts/hardening Tue Feb 21 09:37:33 2017 (r314036) @@ -36,15 +36,15 @@ FEATURES=$( dialog --backtitle "FreeBSD --title "System Hardening" --nocancel --separate-output \ --checklist "Choose system security hardening options:" \ 0 0 0 \ - "0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \ - "1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \ - "2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ - "3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ - "4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ - "5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \ - "6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ - "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ - "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ + "0 hide_uids" "Hide processes running as other users" ${hide_uids:-on} \ + "1 hide_gids" "Hide processes running as other groups" ${hide_gids:-on} \ + "2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-on} \ + "3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-on} \ + "4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-on} \ + "5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-on} \ + "6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-on} \ + "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-on} \ + "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-on} \ 2>&1 1>&3 ) exec 3>&- _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
