From owner-svn-src-head@freebsd.org Tue Feb 21 14:34:39 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B8A77CE8192; Tue, 21 Feb 2017 14:34:39 +0000 (UTC) (envelope-from badger@FreeBSD.org) Received: from sasl.smtp.pobox.com (pb-smtp2.pobox.com [64.147.108.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 777DFDB1; Tue, 21 Feb 2017 14:34:39 +0000 (UTC) (envelope-from badger@FreeBSD.org) Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id ACCF867651; Tue, 21 Feb 2017 09:34:31 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=bg3zU5NNCQ/O ExeUeP30WI2R8Sw=; b=XL1z8EGnN2xrmdBfbAGvoKQoJ56+WCdvynI4nlDjiuYt sI9/KMfeDwfd90oGUVmzv8BZ0Rm5e1L98A00gSdXMBFKL66PK8wku2tKHrMZcsCo NwvcLJ3LU67IB6IIdR02WhtgaX9oTTdn0BZZgfht0VrwcVUJt7sAk6T+KXSyyeQ= Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id A429367650; Tue, 21 Feb 2017 09:34:31 -0500 (EST) Received: from [192.168.1.103] (unknown [24.7.205.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id D1DE56764E; Tue, 21 Feb 2017 09:34:30 -0500 (EST) Subject: Re: svn commit: r314036 - head/usr.sbin/bsdinstall/scripts To: Bartek Rutkowski , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org References: <201702210937.v1L9bY6V093836@repo.freebsd.org> From: Eric Badger Message-ID: <28a4cf5e-2edd-3e30-9ecd-817f886e9ea3@FreeBSD.org> Date: Tue, 21 Feb 2017 08:34:29 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 In-Reply-To: <201702210937.v1L9bY6V093836@repo.freebsd.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Pobox-Relay-ID: DB34F036-F842-11E6-A756-A7617B1B28F4-46178211!pb-smtp2.pobox.com X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2017 14:34:39 -0000 On 02/21/2017 03:37 AM, Bartek Rutkowski wrote: > Author: robak (ports committer) > Date: Tue Feb 21 09:37:33 2017 > New Revision: 314036 > URL: https://svnweb.freebsd.org/changeset/base/314036 > > Log: > Enable bsdinstall hardening options by default. > > As discussed previously, in order to introduce new OS hardening > defaults, we've added them to bsdinstall in 'off by default' mode. > It has been there for a while, so the next step is to change them > to 'on by defaul' mode, so that in future we could simply enable > them in base OS. > > Reviewed by: brd > Approved by: adrian > Differential Revision: https://reviews.freebsd.org/D9641 > > Modified: > head/usr.sbin/bsdinstall/scripts/hardening > > Modified: head/usr.sbin/bsdinstall/scripts/hardening > ============================================================================== > --- head/usr.sbin/bsdinstall/scripts/hardening Tue Feb 21 09:33:21 2017 (r314035) > +++ head/usr.sbin/bsdinstall/scripts/hardening Tue Feb 21 09:37:33 2017 (r314036) > @@ -36,15 +36,15 @@ FEATURES=$( dialog --backtitle "FreeBSD > --title "System Hardening" --nocancel --separate-output \ > --checklist "Choose system security hardening options:" \ > 0 0 0 \ > - "0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \ > - "1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \ > - "2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ > - "3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ > - "4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ > - "5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \ > - "6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ > - "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ > - "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ > + "0 hide_uids" "Hide processes running as other users" ${hide_uids:-on} \ > + "1 hide_gids" "Hide processes running as other groups" ${hide_gids:-on} \ > + "2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-on} \ > + "3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-on} \ > + "4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-on} \ > + "5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-on} \ > + "6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-on} \ > + "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-on} \ > + "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-on} \ > 2>&1 1>&3 ) > exec 3>&- > > Hi Bartek, Thanks for working on making it easier to harden FreeBSD. While defaulting some of these options to "on" seem pretty harmless (e.g. random_pid), others are likely to cause confusion for new and experienced users alike (e.g. proc_debug. I've never used that option before, so I gave it a try. It simply causes gdb to hang when attempting to start a process, with no obvious indication of why). I think more discussion is merited before they are turned on by default; personally I think they have potential to sour a first impression of FreeBSD by making things people are used to doing on other OSes hard. Eric