From owner-svn-src-head@freebsd.org Wed Jul 5 13:37:28 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF063DAB64A; Wed, 5 Jul 2017 13:37:28 +0000 (UTC) (envelope-from robak@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A85A880E4C; Wed, 5 Jul 2017 13:37:28 +0000 (UTC) (envelope-from robak@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v65DbRI3019180; Wed, 5 Jul 2017 13:37:27 GMT (envelope-from robak@FreeBSD.org) Received: (from robak@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v65DbRD2019178; Wed, 5 Jul 2017 13:37:27 GMT (envelope-from robak@FreeBSD.org) Message-Id: <201707051337.v65DbRD2019178@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: robak set sender to robak@FreeBSD.org using -f From: Bartek Rutkowski Date: Wed, 5 Jul 2017 13:37:27 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r320674 - head/usr.sbin/bsdinstall/scripts X-SVN-Group: head X-SVN-Commit-Author: robak X-SVN-Commit-Paths: head/usr.sbin/bsdinstall/scripts X-SVN-Commit-Revision: 320674 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jul 2017 13:37:28 -0000 Author: robak (ports committer) Date: Wed Jul 5 13:37:27 2017 New Revision: 320674 URL: https://svnweb.freebsd.org/changeset/base/320674 Log: Add option to bsdinstall to disable insecure console, update stack guard option This patch adds new bsdinstall option to hardening section that allows users to change this behaviour to secure one and updates stack guard option so it would set the value of relevant sysctl to 512 (2MB) Submitted by: Bartek Rutkowski Reviewed by: adrian, bapt, emaste Approved by: bapt, emaste MFC after: 1 day Sponsored by: Pixeware LTD Differential Revision: https://reviews.freebsd.org/D9700 Modified: head/usr.sbin/bsdinstall/scripts/config head/usr.sbin/bsdinstall/scripts/hardening Modified: head/usr.sbin/bsdinstall/scripts/config ============================================================================== --- head/usr.sbin/bsdinstall/scripts/config Wed Jul 5 13:13:38 2017 (r320673) +++ head/usr.sbin/bsdinstall/scripts/config Wed Jul 5 13:37:27 2017 (r320674) @@ -35,6 +35,11 @@ rm $BSDINSTALL_TMPETC/rc.conf.* cat $BSDINSTALL_CHROOT/etc/sysctl.conf $BSDINSTALL_TMPETC/sysctl.conf.* >> $BSDINSTALL_TMPETC/sysctl.conf rm $BSDINSTALL_TMPETC/sysctl.conf.* +if [ -f $BSDINSTALL_TMPTEC/ttys.hardening ]; then + cat $BSDINSTALL_TMPTEC/ttys.hardening > $BSDINSTALL_TMPTEC/ttys + rm $BSDINSTALL_TMPTEC/ttys.hardening +fi + cp $BSDINSTALL_TMPETC/* $BSDINSTALL_CHROOT/etc cat $BSDINSTALL_TMPBOOT/loader.conf.* >> $BSDINSTALL_TMPBOOT/loader.conf Modified: head/usr.sbin/bsdinstall/scripts/hardening ============================================================================== --- head/usr.sbin/bsdinstall/scripts/hardening Wed Jul 5 13:13:38 2017 (r320673) +++ head/usr.sbin/bsdinstall/scripts/hardening Wed Jul 5 13:37:27 2017 (r320674) @@ -42,10 +42,11 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \ "3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ "4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ "5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ - "6 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \ + "6 stack_guard" "Set stack guard buffer size to 2MB" ${stack_guard:-off} \ "7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ "8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ "9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ + "9 secure_console" "Enable console password prompt" ${secure_console:-off} \ 2>&1 1>&3 ) exec 3>&- @@ -69,7 +70,7 @@ for feature in $FEATURES; do echo kern.randompid=$(jot -r 1 9999) >> $BSDINSTALL_TMPETC/sysctl.conf.hardening fi if [ "$feature" = "stack_guard" ]; then - echo security.bsd.stack_guard_page=1 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening + echo security.bsd.stack_guard_page=512 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening fi if [ "$feature" = "clear_tmp" ]; then echo 'clear_tmp_enable="YES"' >> $BSDINSTALL_TMPETC/rc.conf.hardening @@ -79,6 +80,9 @@ for feature in $FEATURES; do fi if [ "$feature" = "disable_sendmail" ]; then echo 'sendmail_enable="NONE"' >> $BSDINSTALL_TMPETC/rc.conf.hardening + fi + if [ "$feature" = "secure_console" ]; then + sed "s/unknown off secure/unknown off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening fi done