svn commit: r320674 - head/usr.sbin/bsdinstall/scripts

Wed Jul 5 17:37:32 UTC 2017

On 05/07/17 10:37, Bartek Rutkowski wrote:
> Author: robak (ports committer)
> Date: Wed Jul  5 13:37:27 2017
> New Revision: 320674
> URL: https://svnweb.freebsd.org/changeset/base/320674
> 
> Log:
>   Add option to bsdinstall to disable insecure console, update stack guard option
>   
>   This patch adds new bsdinstall option to hardening section that allows users
>   to change this behaviour to secure one and updates stack guard option so it
>   would set the value of relevant sysctl to 512 (2MB)
>   
>   Submitted by:	Bartek Rutkowski
>   Reviewed by:	adrian, bapt, emaste
>   Approved by:	bapt, emaste
>   MFC after:	1 day
>   Sponsored by:	Pixeware LTD
>   Differential Revision:	https://reviews.freebsd.org/D9700
> 
> Modified:
>   head/usr.sbin/bsdinstall/scripts/config
>   head/usr.sbin/bsdinstall/scripts/hardening
> 
> Modified: head/usr.sbin/bsdinstall/scripts/config
> ==============================================================================
> --- head/usr.sbin/bsdinstall/scripts/config	Wed Jul  5 13:13:38 2017	(r320673)
> +++ head/usr.sbin/bsdinstall/scripts/config	Wed Jul  5 13:37:27 2017	(r320674)
> @@ -35,6 +35,11 @@ rm $BSDINSTALL_TMPETC/rc.conf.*
>  cat $BSDINSTALL_CHROOT/etc/sysctl.conf $BSDINSTALL_TMPETC/sysctl.conf.* >> $BSDINSTALL_TMPETC/sysctl.conf
>  rm $BSDINSTALL_TMPETC/sysctl.conf.*
>  
> +if [ -f $BSDINSTALL_TMPTEC/ttys.hardening ]; then
> +	cat $BSDINSTALL_TMPTEC/ttys.hardening > $BSDINSTALL_TMPTEC/ttys
> +	rm $BSDINSTALL_TMPTEC/ttys.hardening
> +fi
> +
>  cp $BSDINSTALL_TMPETC/* $BSDINSTALL_CHROOT/etc
>  
>  cat $BSDINSTALL_TMPBOOT/loader.conf.* >> $BSDINSTALL_TMPBOOT/loader.conf
> 
> Modified: head/usr.sbin/bsdinstall/scripts/hardening
> ==============================================================================
> --- head/usr.sbin/bsdinstall/scripts/hardening	Wed Jul  5 13:13:38 2017	(r320673)
> +++ head/usr.sbin/bsdinstall/scripts/hardening	Wed Jul  5 13:37:27 2017	(r320674)
> @@ -42,10 +42,11 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \
>  	"3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
>  	"4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
>  	"5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
> -	"6 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
> +	"6 stack_guard" "Set stack guard buffer size to 2MB" ${stack_guard:-off} \
>  	"7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
>  	"8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
>  	"9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
> +	"9 secure_console" "Enable console password prompt" ${secure_console:-off} \

There are two options '9' now

-- 
Renato Botelho