From 82ec242f2e5538faaed8fba1ed74babee8d1aa83 Mon Sep 17 00:00:00 2001 From: Bartek Rutkowski Date: Wed, 5 Jul 2017 13:37:27 +0000 Subject: [PATCH] Add option to bsdinstall to disable insecure console, update stack guard option This patch adds new bsdinstall option to hardening section that allows users to change this behaviour to secure one and updates stack guard option so it would set the value of relevant sysctl to 512 (2MB) Submitted by: Bartek Rutkowski Reviewed by: adrian, bapt, emaste Approved by: bapt, emaste MFC after: 1 day Sponsored by: Pixeware LTD Differential Revision: https://reviews.freebsd.org/D9700 --- usr.sbin/bsdinstall/scripts/config | 5 +++++ usr.sbin/bsdinstall/scripts/hardening | 8 ++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/usr.sbin/bsdinstall/scripts/config b/usr.sbin/bsdinstall/scripts/config index e93e0aec276e..6a5bbfb39b58 100755 --- a/usr.sbin/bsdinstall/scripts/config +++ b/usr.sbin/bsdinstall/scripts/config @@ -35,6 +35,11 @@ rm $BSDINSTALL_TMPETC/rc.conf.* cat $BSDINSTALL_CHROOT/etc/sysctl.conf $BSDINSTALL_TMPETC/sysctl.conf.* >> $BSDINSTALL_TMPETC/sysctl.conf rm $BSDINSTALL_TMPETC/sysctl.conf.* +if [ -f $BSDINSTALL_TMPTEC/ttys.hardening ]; then + cat $BSDINSTALL_TMPTEC/ttys.hardening > $BSDINSTALL_TMPTEC/ttys + rm $BSDINSTALL_TMPTEC/ttys.hardening +fi + cp $BSDINSTALL_TMPETC/* $BSDINSTALL_CHROOT/etc cat $BSDINSTALL_TMPBOOT/loader.conf.* >> $BSDINSTALL_TMPBOOT/loader.conf diff --git a/usr.sbin/bsdinstall/scripts/hardening b/usr.sbin/bsdinstall/scripts/hardening index 2d7566dad48e..93a0f3c5d5f1 100755 --- a/usr.sbin/bsdinstall/scripts/hardening +++ b/usr.sbin/bsdinstall/scripts/hardening @@ -42,10 +42,11 @@ FEATURES=$( dialog --backtitle "FreeBSD Installer" \ "3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ "4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ "5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ - "6 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \ + "6 stack_guard" "Set stack guard buffer size to 2MB" ${stack_guard:-off} \ "7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ "8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ "9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ + "9 secure_console" "Enable console password prompt" ${secure_console:-off} \ 2>&1 1>&3 ) exec 3>&- @@ -69,7 +70,7 @@ for feature in $FEATURES; do echo kern.randompid=$(jot -r 1 9999) >> $BSDINSTALL_TMPETC/sysctl.conf.hardening fi if [ "$feature" = "stack_guard" ]; then - echo security.bsd.stack_guard_page=1 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening + echo security.bsd.stack_guard_page=512 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening fi if [ "$feature" = "clear_tmp" ]; then echo 'clear_tmp_enable="YES"' >> $BSDINSTALL_TMPETC/rc.conf.hardening @@ -80,5 +81,8 @@ for feature in $FEATURES; do if [ "$feature" = "disable_sendmail" ]; then echo 'sendmail_enable="NONE"' >> $BSDINSTALL_TMPETC/rc.conf.hardening fi + if [ "$feature" = "secure_console" ]; then + sed "s/unknown off secure/unknown off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening + fi done