| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Throughout the bsdinstall script fd 3 is used by f_dprintf (set through
$TERMINAL_STDOUT_PASSTHRU). In several places in the bsdinstalls scripts,
we use fd 3 to juggle stdout when calling out to other tools, which can
cause the installer to fail with a "Bad file descriptor" error when
f_dprintf attempts to use it.
This commit replaces all constructs like this:
exec 3>&1
SOME_VARIABLE=$(some command 2>&1 1>&3)
exec 3>&-
With:
exec 5>&1
SOME_VARIABLE=$(some command 2>&1 1>&5)
exec 5>&-
PR: 273148
Reviewed by: corvink
Fixes: 1f7746d81f53447ac15cc99395bb714d4dd0a4da ("bsdinstall: stop messing with file descriptors")
MFC after: 1 week
|
| |
|
|
| |
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| |
|
|
|
|
|
| |
sendmail is fully disabled in 14.0 by default
Reviewed by: imp, emaste
Differential Revision: https://reviews.freebsd.org/D40367
|
| |
|
|
|
|
| |
Approved by: allanjude, asiciliano
Differential Revision: https://reviews.freebsd.org/D35197
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
| |
bsdinstall/scripts/hardening: Replace (LGPL) dialog utility with
(BSD-2-CLAUSE) dialog utility.
Approved by: bapt (mentor)
Differential Revision: https://reviews.freebsd.org/D34102
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 020f4112559ebf7e94665c9a69f89d21929ce82a.
Because now ASLR is enabled by default for 64-bit architectures
and the purpose of the installation menu is to allow choosing
additional 'mitigation'/'hardening' options that are originally
disabled, remove the ASLR knob from bsdinstall.
Discussed with: emaste
Obtained from: Semihalf
Sponsored by: Stormshield
|
| |
|
|
|
|
| |
Reviewed by: mw
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28418
|
| |
|
|
|
|
|
| |
Reduce copy-paste and use a more typical construct.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28417
|
| |
|
|
|
|
|
|
|
|
| |
Submitted by: Jörg Pernfuß <code.jpe@gmail.com>
Approved by: re (kib)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D12474
Notes:
svn path=/head/; revision=338852
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enabling the PID randomization option in bsdinstall(8)'s hardening menu
now randomizes the effective value of kern.randompid on each boot.
Previous behaviour:
When kern.randompid was enabled via the the bsdinstall(8) hardening menu,
a random value was generated and placed in the systems /etc/sysctl.conf as
kern.randompid=value
This makes the value of kern.randompid static across reboots.
New behaviour:
When kern.randompid is enabled via the bsdinstall(8) hardening menu, the
line kern.randompid=1 is placed in the systems /etc/sysctl.conf.
This takes advantage of a new kernel feature and makes the value of
kern.randompid be randomized by the kernel on each reboot.
Submitted by: Marie Helene Kvello-Aune <marieheleneka@gmail.com>
Reviewed by: des
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D12433
Notes:
svn path=/head/; revision=324206
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since kib's change the stack guard is now ON by default,
this option in hardening menu of bsdinstall is no longer needed.
Submitted by: Bartlomiej Rutkowski <robak@FreeBSD.org>
Reviewed by: bapt
Approved by: bapt
MFC after: 1 day
Sponsored by: Pixeware LTD
Differential Revision: https://reviews.freebsd.org/D11686
Notes:
svn path=/head/; revision=321326
|
| |
|
|
|
|
|
|
|
|
|
| |
Submitted by: Bartek Rutkowski <robak@FreeBSD.org>
Reviewed by: bapt
Approved by: bapt
MFC after: 1 day
Differential Revision: https://reviews.freebsd.org/D11505
Notes:
svn path=/head/; revision=320732
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds new bsdinstall option to hardening section that allows users
to change this behaviour to secure one and updates stack guard option so it
would set the value of relevant sysctl to 512 (2MB)
Submitted by: Bartek Rutkowski
Reviewed by: adrian, bapt, emaste
Approved by: bapt, emaste
MFC after: 1 day
Sponsored by: Pixeware LTD
Differential Revision: https://reviews.freebsd.org/D9700
Notes:
svn path=/head/; revision=320674
|
| |
|
|
|
|
|
|
| |
Approved by: allanjude
Differential Revision: https://reviews.freebsd.org/D11283
Notes:
svn path=/head/; revision=320473
|
| |
|
|
|
|
|
| |
Approved by: bapt, jhb
Notes:
svn path=/head/; revision=315447
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As discussed previously, in order to introduce new OS hardening
defaults, we've added them to bsdinstall in 'off by default' mode.
It has been there for a while, so the next step is to change them
to 'on by defaul' mode, so that in future we could simply enable
them in base OS.
Reviewed by: brd
Approved by: adrian
Differential Revision: https://reviews.freebsd.org/D9641
Notes:
svn path=/head/; revision=314036
|
| |
|
|
|
|
|
|
|
|
| |
Submitted by: skreuzer
Reviewed by: allanjude, robak
Approved by: allanjude
Differential Revision: https://reviews.freebsd.org/D6826
Notes:
svn path=/head/; revision=313815
|
| |
|
|
|
|
|
|
|
|
|
|
| |
PR: 211471
Reported by: survo@protonmail.com
Reviewed by: robak@
Approved by: allanjude@
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D7440
Notes:
svn path=/head/; revision=303877
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The most recent version of bsdinstall does not seem to respect any of
the checkboxes in the "Choose the services you would like to be started
at boot" dialog. None of the chosen services end up in the rc.conf file
that is installed onto the target system.
This is caused by the bsdinstall/scripts/hardening script, which
implements the new hardening options dialog. The script starts by
overwriting the previously written rc.conf.services file:
echo -n > $BSDINSTALL_TMPETC/rc.conf.services
which is obviously incorrect. It should clear out rc.conf.hardening
instead.
Reviewed by: allanjude
PR: 211506
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D7387
Notes:
svn path=/head/; revision=303631
|
|
|
This patch add new 'hardening' file responsible for new bsdinstall
'System Hardening' menu allowing users to set some sane and carefully
picked system security options (like random process id's, hiding
other users/groups processes and others).
All options are OFF by default in this patch due to POLA principle
with intention to turn change some of them to ON by default in future.
Reviewed by: adrian, allanjude, bdrewery, nwhitehorn
Approved by: adrian, allanjude
MFC after: 7 days
Notes:
svn path=/head/; revision=302897
|
