From owner-svn-src-head@freebsd.org  Tue Feb 21 09:37:35 2017
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6E762CE68F6;
 Tue, 21 Feb 2017 09:37:35 +0000 (UTC)
 (envelope-from robak@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 207D8F73;
 Tue, 21 Feb 2017 09:37:35 +0000 (UTC)
 (envelope-from robak@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v1L9bYeZ093837;
 Tue, 21 Feb 2017 09:37:34 GMT (envelope-from robak@FreeBSD.org)
Received: (from robak@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v1L9bY6V093836;
 Tue, 21 Feb 2017 09:37:34 GMT (envelope-from robak@FreeBSD.org)
Message-Id: <201702210937.v1L9bY6V093836@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: robak set sender to
 robak@FreeBSD.org using -f
From: Bartek Rutkowski <robak@FreeBSD.org>
Date: Tue, 21 Feb 2017 09:37:34 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r314036 - head/usr.sbin/bsdinstall/scripts
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2017 09:37:35 -0000

Author: robak (ports committer)
Date: Tue Feb 21 09:37:33 2017
New Revision: 314036
URL: https://svnweb.freebsd.org/changeset/base/314036

Log:
  Enable bsdinstall hardening options by default.
  
  As discussed previously, in order to introduce new OS hardening
  defaults, we've added them to bsdinstall in 'off by default' mode.
  It has been there for a while, so the next step is to change them
  to 'on by defaul' mode, so that in future we could simply enable
  them in base OS.
  
  Reviewed by:	brd
  Approved by:	adrian
  Differential Revision:	https://reviews.freebsd.org/D9641

Modified:
  head/usr.sbin/bsdinstall/scripts/hardening

Modified: head/usr.sbin/bsdinstall/scripts/hardening
==============================================================================
--- head/usr.sbin/bsdinstall/scripts/hardening	Tue Feb 21 09:33:21 2017	(r314035)
+++ head/usr.sbin/bsdinstall/scripts/hardening	Tue Feb 21 09:37:33 2017	(r314036)
@@ -36,15 +36,15 @@ FEATURES=$( dialog --backtitle "FreeBSD 
     --title "System Hardening" --nocancel --separate-output \
     --checklist "Choose system security hardening options:" \
     0 0 0 \
-	"0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \
-	"1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \
-	"2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
-	"3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
-	"4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
-	"5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
-	"6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
-	"7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
-	"8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
+	"0 hide_uids" "Hide processes running as other users" ${hide_uids:-on} \
+	"1 hide_gids" "Hide processes running as other groups" ${hide_gids:-on} \
+	"2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-on} \
+	"3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-on} \
+	"4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-on} \
+	"5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-on} \
+	"6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-on} \
+	"7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-on} \
+	"8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-on} \
 2>&1 1>&3 )
 exec 3>&-