diff options
| author | Steve Wills <swills@FreeBSD.org> | 2017-06-29 16:39:55 +0000 |
|---|---|---|
| committer | Steve Wills <swills@FreeBSD.org> | 2017-06-29 16:39:55 +0000 |
| commit | d8061eff494306bc4022b5cd5fb50801cd0d2fe5 (patch) | |
| tree | bd4c87d0b2f1a8e50a8c02da8ecab9eb3672b821 /usr.sbin/bsdinstall/scripts | |
| parent | fda0a14f4744c2851766f395775c7531e7c4f7dd (diff) | |
Notes
Diffstat (limited to 'usr.sbin/bsdinstall/scripts')
| -rwxr-xr-x | usr.sbin/bsdinstall/scripts/hardening | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/usr.sbin/bsdinstall/scripts/hardening b/usr.sbin/bsdinstall/scripts/hardening index a39ab7bcbd9da..2d7566dad48e1 100755 --- a/usr.sbin/bsdinstall/scripts/hardening +++ b/usr.sbin/bsdinstall/scripts/hardening @@ -38,13 +38,14 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \ 0 0 0 \ "0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \ "1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \ - "2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ - "3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ - "4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ - "5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \ - "6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ - "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ - "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ + "2 hide_jail" "Hide processes running in jails" ${hide_jail:-off} \ + "3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ + "4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ + "5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ + "6 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \ + "7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ + "8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ + "9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ 2>&1 1>&3 ) exec 3>&- @@ -55,6 +56,9 @@ for feature in $FEATURES; do if [ "$feature" = "hide_gids" ]; then echo security.bsd.see_other_gids=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening fi + if [ "$feature" = "hide_jail" ]; then + echo security.bsd.see_jail_proc=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening + fi if [ "$feature" = "read_msgbuf" ]; then echo security.bsd.unprivileged_read_msgbuf=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening fi |