From owner-svn-doc-all@freebsd.org Sun Mar 8 10:39:32 2020 Return-Path: Delivered-To: svn-doc-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8CCFB26538B; Sun, 8 Mar 2020 10:39:32 +0000 (UTC) (envelope-from carlavilla@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48ZyXM5nfqz4fpy; Sun, 8 Mar 2020 10:39:31 +0000 (UTC) (envelope-from carlavilla@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A4AD420853; Sun, 8 Mar 2020 10:39:31 +0000 (UTC) (envelope-from carlavilla@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 028AdVgT023977; Sun, 8 Mar 2020 10:39:31 GMT (envelope-from carlavilla@FreeBSD.org) Received: (from carlavilla@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 028AdVem023976; Sun, 8 Mar 2020 10:39:31 GMT (envelope-from carlavilla@FreeBSD.org) Message-Id: <202003081039.028AdVem023976@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: carlavilla set sender to carlavilla@FreeBSD.org using -f From: Sergio Carlavilla Delgado Date: Sun, 8 Mar 2020 10:39:31 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r53958 - in head: en_US.ISO8859-1/books/handbook en_US.ISO8859-1/books/handbook/bsdinstall share/images/books/handbook/bsdinstall X-SVN-Group: doc-head X-SVN-Commit-Author: carlavilla X-SVN-Commit-Paths: in head: en_US.ISO8859-1/books/handbook en_US.ISO8859-1/books/handbook/bsdinstall share/images/books/handbook/bsdinstall X-SVN-Commit-Revision: 53958 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Mar 2020 10:39:32 -0000 Author: carlavilla Date: Sun Mar 8 10:39:30 2020 New Revision: 53958 URL: https://svnweb.freebsd.org/changeset/doc/53958 Log: Add the hardening section to the handbook Submitted by: carlavilla@ Approved by: bcr@ Differential Revision: https://reviews.freebsd.org/D23996 Added: head/share/images/books/handbook/bsdinstall/bsdinstall-hardening.png (contents, props changed) Modified: head/en_US.ISO8859-1/books/handbook/Makefile head/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml head/share/images/books/handbook/bsdinstall/bsdinstall-finalconfiguration.png Modified: head/en_US.ISO8859-1/books/handbook/Makefile ============================================================================== --- head/en_US.ISO8859-1/books/handbook/Makefile Sat Mar 7 20:37:19 2020 (r53957) +++ head/en_US.ISO8859-1/books/handbook/Makefile Sun Mar 8 10:39:30 2020 (r53958) @@ -64,6 +64,7 @@ IMAGES_EN+= bsdinstall/bsdinstall-distfile-verifying.p IMAGES_EN+= bsdinstall/bsdinstall-final-confirmation.png IMAGES_EN+= bsdinstall/bsdinstall-finalconfiguration.png IMAGES_EN+= bsdinstall/bsdinstall-final-modification-shell.png +IMAGES_EN+= bsdinstall/bsdinstall-hardening.png IMAGES_EN+= bsdinstall/bsdinstall-keymap-10.png IMAGES_EN+= bsdinstall/bsdinstall-keymap-loading.png IMAGES_EN+= bsdinstall/bsdinstall-keymap-select-default.png Modified: head/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml Sat Mar 7 20:37:19 2020 (r53957) +++ head/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml Sun Mar 8 10:39:30 2020 (r53958) @@ -939,7 +939,7 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4. - After the keymaps have been loaded bsdinstall displays the + After the keymaps have been loaded bsdinstall displays the menu shown in . Use the up and down arrows to select the keymap that most closely represents the mapping of the keyboard attached to the system. @@ -2308,7 +2308,7 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.ntpdate - Enable the automatic clock synchronization at boot time. The functionality of this program is now available in the ntpd daemon. After a - suitable period of mourning, the &man.ntpd.8; utility will + suitable period of mourning, the &man.ntpdate.8; utility will be retired. @@ -2332,7 +2332,113 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4. + + + Enabling Hardening Security Options + The next menu is used to configure which security + options will be enabled. All of these options are optional. + But their use is encouraged. + +
+ Selecting Hardening Security Options + + + + + + +
+ + Here is a summary of the options which can be enabled in + this menu: + + + + hide_uids - Hide processes running + as other users to prevent the unprivileged users to see + other running processes in execution by other users (UID) + preventing information leakage. + + + + hide_gids - Hide processes running + as other groups to prevent the unprivileged users to see + other running processes in execution by other groups (GID) + preventing information leakage. + + + + hide_jail - Hide processes running + in jails to prevent the unprivileged users to see + processes running inside the jails. + + + + read_msgbuf - Disabling reading + kernel message buffer for unprivileged users prevent from + using &man.dmesg.8; to view messages from the kernel's log + buffer. + + + + proc_debug - Disabling process + debugging facilities for unprivileged users disables + a variety of unprivileged inter-process debugging + services, including some procfs functionality, ptrace(), + and ktrace(). Please note that this will also prevent + debugging tools, for instance &man.lldb.1;, &man.truss.1;, + &man.procstat.1;, as well as some built-in debugging + facilities in certain scripting language like PHP, etc., + from working for unprivileged users. + + + + random_pid - Randomize the PID of + newly created processes. + + + + clear_tmp - Clean + /tmp when the system starts + up. + + + + disable_syslogd - Disable opening + syslogd network socket. By + default &os; runs syslogd in a + secure way with -s. That prevents the + daemon from listening for incoming UDP requests + at port 514. With this option enabled + syslogd will run with the flag + -ss which prevents + syslogd from opening any port. + To get more information consult &man.syslogd.8;. + + + + disable_sendmail - Disable the + sendmail mail transport agent. + + + + secure_console - When this option + is enabled, the prompt requests the root password when + entering single. + + + + disable_ddtrace - &dtrace; can run + in a mode that will actually affect the running kernel. + Destructive actions may not be used unless they have + been explicitly enabled. To enable this option when using + &dtrace; use -w. To get more + information consult &man.dtrace.1;. + + + + Add Users @@ -2536,6 +2642,11 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4. Services - Described in . + + + + System Hardening - Described in + . Modified: head/share/images/books/handbook/bsdinstall/bsdinstall-finalconfiguration.png ============================================================================== Binary file (source and/or target). No diff available. Added: head/share/images/books/handbook/bsdinstall/bsdinstall-hardening.png ============================================================================== Binary file. No diff available.