Index: en_US.ISO8859-1/books/handbook/Makefile
===================================================================
--- en_US.ISO8859-1/books/handbook/Makefile
+++ en_US.ISO8859-1/books/handbook/Makefile
@@ -64,6 +64,7 @@
IMAGES_EN+= bsdinstall/bsdinstall-final-confirmation.png
IMAGES_EN+= bsdinstall/bsdinstall-finalconfiguration.png
IMAGES_EN+= bsdinstall/bsdinstall-final-modification-shell.png
+IMAGES_EN+= bsdinstall/bsdinstall-hardening.png
IMAGES_EN+= bsdinstall/bsdinstall-keymap-10.png
IMAGES_EN+= bsdinstall/bsdinstall-keymap-loading.png
IMAGES_EN+= bsdinstall/bsdinstall-keymap-select-default.png
Index: en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml
===================================================================
--- en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml
+++ en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml
@@ -2308,7 +2308,7 @@
ntpdate - Enable the automatic
clock synchronization at boot time. The functionality of
this program is now available in the ntpd daemon. After a
- suitable period of mourning, the &man.ntpd.8; utility will
+ suitable period of mourning, the &man.ntpdate.8; utility will
be retired.
@@ -2332,7 +2332,113 @@
+
+
+ Enabling Hardening Security Options
+ The next menu is used to configure which security
+ options will be enabled. All of these options are optional.
+ But their use is encouraged.
+
+
+ Selecting Hardening Security Options
+
+
+
+
+
+
+
+
+ Here is a summary of the options which can be enabled in
+ this menu:
+
+
+
+ hide_uids - Hide processes running
+ as other users to prevent the unprivileged users to see
+ other running processes in execution by other users (UID)
+ preventing information leakage.
+
+
+
+ hide_gids - Hide processes running
+ as other groups to prevent the unprivileged users to see
+ other running processes in execution by other groups (GID)
+ preventing information leakage.
+
+
+
+ hide_jail - Hide processes running
+ in jails to prevent the unprivileged users to see
+ processes running inside the jails.
+
+
+
+ read_msgbuf - Disabling reading
+ kernel message buffer for unprivileged users prevent from
+ using &man.dmesg.8; to view messages from the kernel's log
+ buffer.
+
+
+
+ proc_debug - Disabling process
+ debugging facilities for unprivileged users disables
+ a variety of unprivileged inter-process debugging
+ services, including some procfs functionality, ptrace(),
+ and ktrace(). Please note that this will also prevent
+ debugging tools, for instance &man.lldb.1;, &man.truss.1;,
+ &man.procstat.1;, as well as some built-in debugging
+ facilities in certain scripting language like PHP, etc.,
+ from working for unprivileged users.
+
+
+
+ random_pid - Randomize the PID of
+ newly created processes.
+
+
+
+ clear_tmp - Clean
+ /tmp when the system starts
+ up.
+
+
+
+ disable_syslogd - Disable opening
+ syslogd network socket. By
+ default &os; runs syslogd in a
+ secure way with -s. That prevents the
+ daemon from listening for incoming UDP requests
+ at port 514. With this option enabled
+ syslogd will run with the flag
+ -ss which prevents
+ syslogd from opening any port.
+ To get more information consult &man.syslogd.8;.
+
+
+
+ disable_sendmail - Disable the
+ sendmail mail transport agent.
+
+
+
+ secure_console - When this option
+ is enabled, the prompt requests the root password when
+ entering single.
+
+
+
+ disable_ddtrace - &dtrace; can run
+ in a mode that will actually affect the running kernel.
+ Destructive actions may not be used unless they have
+ been explicitly enabled. To enable this option when using
+ &dtrace; use -w. To get more
+ information consult &man.dtrace.1;.
+
+
+
+
Add Users
@@ -2539,6 +2645,11 @@
+ System Hardening - Described in
+ .
+
+
+ Time Zone - Described in .