diff options
| author | Bartek Rutkowski <robak@FreeBSD.org> | 2017-07-05 13:37:27 +0000 |
|---|---|---|
| committer | Bartek Rutkowski <robak@FreeBSD.org> | 2017-07-05 13:37:27 +0000 |
| commit | 82ec242f2e5538faaed8fba1ed74babee8d1aa83 (patch) | |
| tree | f63f8e49c88dd1ebf14f3dd9ad37a980f81306a7 /usr.sbin/bsdinstall | |
| parent | 8f992087211a1ced2e82eaa90700eacc8112de1b (diff) | |
| download | src-test2-82ec242f2e5538faaed8fba1ed74babee8d1aa83.tar.gz src-test2-82ec242f2e5538faaed8fba1ed74babee8d1aa83.zip | |
Notes
Diffstat (limited to 'usr.sbin/bsdinstall')
| -rwxr-xr-x | usr.sbin/bsdinstall/scripts/config | 5 | ||||
| -rwxr-xr-x | usr.sbin/bsdinstall/scripts/hardening | 8 |
2 files changed, 11 insertions, 2 deletions
diff --git a/usr.sbin/bsdinstall/scripts/config b/usr.sbin/bsdinstall/scripts/config index e93e0aec276e..6a5bbfb39b58 100755 --- a/usr.sbin/bsdinstall/scripts/config +++ b/usr.sbin/bsdinstall/scripts/config @@ -35,6 +35,11 @@ rm $BSDINSTALL_TMPETC/rc.conf.* cat $BSDINSTALL_CHROOT/etc/sysctl.conf $BSDINSTALL_TMPETC/sysctl.conf.* >> $BSDINSTALL_TMPETC/sysctl.conf rm $BSDINSTALL_TMPETC/sysctl.conf.* +if [ -f $BSDINSTALL_TMPTEC/ttys.hardening ]; then + cat $BSDINSTALL_TMPTEC/ttys.hardening > $BSDINSTALL_TMPTEC/ttys + rm $BSDINSTALL_TMPTEC/ttys.hardening +fi + cp $BSDINSTALL_TMPETC/* $BSDINSTALL_CHROOT/etc cat $BSDINSTALL_TMPBOOT/loader.conf.* >> $BSDINSTALL_TMPBOOT/loader.conf diff --git a/usr.sbin/bsdinstall/scripts/hardening b/usr.sbin/bsdinstall/scripts/hardening index 2d7566dad48e..93a0f3c5d5f1 100755 --- a/usr.sbin/bsdinstall/scripts/hardening +++ b/usr.sbin/bsdinstall/scripts/hardening @@ -42,10 +42,11 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \ "3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ "4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ "5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ - "6 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \ + "6 stack_guard" "Set stack guard buffer size to 2MB" ${stack_guard:-off} \ "7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ "8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ "9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ + "9 secure_console" "Enable console password prompt" ${secure_console:-off} \ 2>&1 1>&3 ) exec 3>&- @@ -69,7 +70,7 @@ for feature in $FEATURES; do echo kern.randompid=$(jot -r 1 9999) >> $BSDINSTALL_TMPETC/sysctl.conf.hardening fi if [ "$feature" = "stack_guard" ]; then - echo security.bsd.stack_guard_page=1 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening + echo security.bsd.stack_guard_page=512 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening fi if [ "$feature" = "clear_tmp" ]; then echo 'clear_tmp_enable="YES"' >> $BSDINSTALL_TMPETC/rc.conf.hardening @@ -80,5 +81,8 @@ for feature in $FEATURES; do if [ "$feature" = "disable_sendmail" ]; then echo 'sendmail_enable="NONE"' >> $BSDINSTALL_TMPETC/rc.conf.hardening fi + if [ "$feature" = "secure_console" ]; then + sed "s/unknown off secure/unknown off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening + fi done |