Date: Sun, 8 Mar 2020 10:39:31 +0000 (UTC) From: Sergio Carlavilla Delgado <carlavilla@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r53958 - in head: en_US.ISO8859-1/books/handbook en_US.ISO8859-1/books/handbook/bsdinstall share/images/books/handbook/bsdinstall Message-ID: <202003081039.028AdVem023976@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: carlavilla Date: Sun Mar 8 10:39:30 2020 New Revision: 53958 URL: https://svnweb.freebsd.org/changeset/doc/53958 Log: Add the hardening section to the handbook Submitted by: carlavilla@ Approved by: bcr@ Differential Revision: https://reviews.freebsd.org/D23996 Added: head/share/images/books/handbook/bsdinstall/bsdinstall-hardening.png (contents, props changed) Modified: head/en_US.ISO8859-1/books/handbook/Makefile head/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml head/share/images/books/handbook/bsdinstall/bsdinstall-finalconfiguration.png Modified: head/en_US.ISO8859-1/books/handbook/Makefile ============================================================================== --- head/en_US.ISO8859-1/books/handbook/Makefile Sat Mar 7 20:37:19 2020 (r53957) +++ head/en_US.ISO8859-1/books/handbook/Makefile Sun Mar 8 10:39:30 2020 (r53958) @@ -64,6 +64,7 @@ IMAGES_EN+= bsdinstall/bsdinstall-distfile-verifying.p IMAGES_EN+= bsdinstall/bsdinstall-final-confirmation.png IMAGES_EN+= bsdinstall/bsdinstall-finalconfiguration.png IMAGES_EN+= bsdinstall/bsdinstall-final-modification-shell.png +IMAGES_EN+= bsdinstall/bsdinstall-hardening.png IMAGES_EN+= bsdinstall/bsdinstall-keymap-10.png IMAGES_EN+= bsdinstall/bsdinstall-keymap-loading.png IMAGES_EN+= bsdinstall/bsdinstall-keymap-select-default.png Modified: head/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml Sat Mar 7 20:37:19 2020 (r53957) +++ head/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml Sun Mar 8 10:39:30 2020 (r53958) @@ -939,7 +939,7 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</s </mediaobject> </figure> - <para>After the keymaps have been loaded <application>bsdinstall</application> displays the + <para>After the keymaps have been loaded bsdinstall displays the menu shown in <xref linkend="bsdinstall-keymap-10"/>. Use the up and down arrows to select the keymap that most closely represents the mapping of the keyboard attached to the system. @@ -2308,7 +2308,7 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</s <para><literal>ntpdate</literal> - Enable the automatic clock synchronization at boot time. The functionality of this program is now available in the ntpd daemon. After a - suitable period of mourning, the &man.ntpd.8; utility will + suitable period of mourning, the &man.ntpdate.8; utility will be retired.</para> </listitem> @@ -2332,7 +2332,113 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</s </listitem> </itemizedlist> </sect2> + + <sect2 xml:id="bsdinstall-hardening"> + <title>Enabling Hardening Security Options</title> + <para>The next menu is used to configure which security + options will be enabled. All of these options are optional. + But their use is encouraged.</para> + + <figure xml:id="bsdinstall-hardening-options"> + <title>Selecting Hardening Security Options</title> + + <mediaobject> + <imageobject> + <imagedata fileref="bsdinstall/bsdinstall-hardening"/> + </imageobject> + </mediaobject> + </figure> + + <para>Here is a summary of the options which can be enabled in + this menu:</para> + + <itemizedlist> + <listitem> + <para><literal>hide_uids</literal> - Hide processes running + as other users to prevent the unprivileged users to see + other running processes in execution by other users (UID) + preventing information leakage.</para> + </listitem> + + <listitem> + <para><literal>hide_gids</literal> - Hide processes running + as other groups to prevent the unprivileged users to see + other running processes in execution by other groups (GID) + preventing information leakage.</para> + </listitem> + + <listitem> + <para><literal>hide_jail</literal> - Hide processes running + in jails to prevent the unprivileged users to see + processes running inside the jails.</para> + </listitem> + + <listitem> + <para><literal>read_msgbuf</literal> - Disabling reading + kernel message buffer for unprivileged users prevent from + using &man.dmesg.8; to view messages from the kernel's log + buffer.</para> + </listitem> + + <listitem> + <para><literal>proc_debug</literal> - Disabling process + debugging facilities for unprivileged users disables + a variety of unprivileged inter-process debugging + services, including some procfs functionality, ptrace(), + and ktrace(). Please note that this will also prevent + debugging tools, for instance &man.lldb.1;, &man.truss.1;, + &man.procstat.1;, as well as some built-in debugging + facilities in certain scripting language like PHP, etc., + from working for unprivileged users.</para> + </listitem> + + <listitem> + <para><literal>random_pid</literal> - Randomize the PID of + newly created processes.</para> + </listitem> + + <listitem> + <para><literal>clear_tmp</literal> - Clean + <filename>/tmp</filename> when the system starts + up.</para> + </listitem> + + <listitem> + <para><literal>disable_syslogd</literal> - Disable opening + <application>syslogd</application> network socket. By + default &os; runs <application>syslogd</application> in a + secure way with <command>-s</command>. That prevents the + daemon from listening for incoming UDP requests + at port 514. With this option enabled + <application>syslogd</application> will run with the flag + <command>-ss</command> which prevents + <application>syslogd</application> from opening any port. + To get more information consult &man.syslogd.8;.</para> + </listitem> + + <listitem> + <para><literal>disable_sendmail</literal> - Disable the + sendmail mail transport agent.</para> + </listitem> + + <listitem> + <para><literal>secure_console</literal> - When this option + is enabled, the prompt requests the root password when + entering single.</para> + </listitem> + + <listitem> + <para><literal>disable_ddtrace</literal> - &dtrace; can run + in a mode that will actually affect the running kernel. + Destructive actions may not be used unless they have + been explicitly enabled. To enable this option when using + &dtrace; use <command>-w</command>. To get more + information consult &man.dtrace.1;.</para> + </listitem> + </itemizedlist> + </sect2> + <sect2 xml:id="bsdinstall-addusers"> <title>Add Users</title> @@ -2536,6 +2642,11 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</s <listitem> <para><literal>Services</literal> - Described in <xref linkend="bsdinstall-sysconf"/>.</para> + </listitem> + + <listitem> + <para><literal>System Hardening</literal> - Described in + <xref linkend="bsdinstall-hardening"/>.</para> </listitem> <listitem> Modified: head/share/images/books/handbook/bsdinstall/bsdinstall-finalconfiguration.png ============================================================================== Binary file (source and/or target). No diff available. Added: head/share/images/books/handbook/bsdinstall/bsdinstall-hardening.png ============================================================================== Binary file. No diff available.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202003081039.028AdVem023976>