d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add hardening menu item for security.bsd.see_jail_proc

Browse Source 
Approved by:		allanjude
Differential Revision:	https://reviews.freebsd.org/D11283
This commit is contained in:
Steve Wills 2017-06-29 16:39:55 +00:00
parent fda0a14f47
commit d8061eff49
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=320473
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
usr.sbin/bsdinstall/scripts/hardening
View File

@ -38,13 +38,14 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \
0 0 0 \
"0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \
"1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \
"2 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
"3 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
"4 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
"5 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
"6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
"7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
"8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
"2 hide_jail" "Hide processes running in jails" ${hide_jail:-off} \
"3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
"4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
"5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
"6 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
"7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
"8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
"9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
2>&1 1>&3 )
exec 3>&-
@ -55,6 +56,9 @@ for feature in $FEATURES; do
if [ "$feature" = "hide_gids" ]; then
echo security.bsd.see_other_gids=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
fi
if [ "$feature" = "hide_jail" ]; then
echo security.bsd.see_jail_proc=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
fi
if [ "$feature" = "read_msgbuf" ]; then
echo security.bsd.unprivileged_read_msgbuf=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
fi