Date: Mon, 18 Jul 2016 17:43:39 -0700 From: Nathan Whitehorn <nwhitehorn@freebsd.org> To: Bartek Rutkowski <robak@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r302897 - head/usr.sbin/bsdinstall/scripts Message-ID: <1d8eded8-cb28-0fe0-341a-99d03e9fc768@freebsd.org> In-Reply-To: <201607151507.u6FF7OGH090313@repo.freebsd.org> References: <201607151507.u6FF7OGH090313@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/15/16 08:07, Bartek Rutkowski wrote: > Author: robak (ports committer) > Date: Fri Jul 15 15:07:24 2016 > New Revision: 302897 > URL: https://svnweb.freebsd.org/changeset/base/302897 > > Log: > Add new System Hardening menu and options to bsdinstall. > > This patch add new 'hardening' file responsible for new bsdinstall > 'System Hardening' menu allowing users to set some sane and carefully > picked system security options (like random process id's, hiding > other users/groups processes and others). > > All options are OFF by default in this patch due to POLA principle > with intention to turn change some of them to ON by default in future. > > Reviewed by: adrian, allanjude, bdrewery, nwhitehorn > Approved by: adrian, allanjude > MFC after: 7 days > Thanks for this! One nit below. > Modified: head/usr.sbin/bsdinstall/scripts/auto > ============================================================================== > --- head/usr.sbin/bsdinstall/scripts/auto Fri Jul 15 13:25:47 2016 (r302896) > +++ head/usr.sbin/bsdinstall/scripts/auto Fri Jul 15 15:07:24 2016 (r302897) > @@ -385,6 +385,7 @@ if [ "$NETCONFIG_DONE" != yes ]; then > fi > bsdinstall time > bsdinstall services > +bsdinstall hardening As discussed in the review, I'd prefer it if this were not here and only the part below (in the final menu) were present in the auto script, in particular for 11.0-RELEASE. This keeps the installer flow and avoids preventing the user with a new menu of optional off-by-default things that you have to get through to finish the installation (Handbook installation is in the same category). Would it be possible to change that? -Nathan > dialog --backtitle "FreeBSD Installer" --title "Add User Accounts" --yesno \ > "Would you like to add users to the installed system now?" 0 0 && \ > @@ -401,6 +402,7 @@ finalconfig() { > "Hostname" "Set system hostname" \ > "Network" "Networking configuration" \ > "Services" "Set daemons to run on startup" \ > + "System Hardening" "Set security options" \ > "Time Zone" "Set system timezone" \ > "Handbook" "Install FreeBSD Handbook (requires network)" 2>&1 1>&3) > exec 3>&- > @@ -426,6 +428,10 @@ finalconfig() { > bsdinstall services > finalconfig > ;; > + "System Hardening") > + bsdinstall hardening > + finalconfig > + ;; > "Time Zone") > bsdinstall time > finalconfig >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1d8eded8-cb28-0fe0-341a-99d03e9fc768>