diff --git a/scripts/hardening b/scripts/hardening
--- a/scripts/hardening
+++ b/scripts/hardening
@@ -32,9 +32,29 @@
 
 : ${BSDDIALOG_OK=0}
 
-echo -n > $BSDINSTALL_TMPETC/rc.conf.hardening
-echo -n > $BSDINSTALL_TMPETC/sysctl.conf.hardening
-echo -n > $BSDINSTALL_TMPBOOT/loader.conf.hardening
+# make sure the target files exist
+touch $BSDINSTALL_TMPETC/rc.conf.hardening
+touch $BSDINSTALL_TMPETC/sysctl.conf.hardening
+touch $BSDINSTALL_TMPBOOT/loader.conf.hardening
+
+# load the current settings
+hide_uids=$(grep -q '^security\.bsd\.see_other_uids=0$' $BSDINSTALL_TMPETC/sysctl.conf.hardening && echo on)
+hide_gids=$(grep -q '^security\.bsd\.see_other_gids=0$' $BSDINSTALL_TMPETC/sysctl.conf.hardening && echo on)
+hide_jail=$(grep -q '^security\.bsd\.see_jail_proc=0$' $BSDINSTALL_TMPETC/sysctl.conf.hardening && echo on)
+read_msgbuf=$(grep -q '^security\.bsd\.unprivileged_read_msgbuf=0$' $BSDINSTALL_TMPETC/sysctl.conf.hardening && echo on)
+proc_debug=$(grep -q '^security\.bsd\.unprivileged_proc_debug=0$' $BSDINSTALL_TMPETC/sysctl.conf.hardening && echo on)
+random_pid=$(grep -q '^kern\.randompid=1$' $BSDINSTALL_TMPETC/sysctl.conf.hardening && echo on)
+clear_tmp=$(sysrc -ef $BSDINSTALL_TMPETC/rc.conf.hardening clear_tmp_enable | cut -d = -f 2)
+clear_tmp=$([ -n "$clear_tmp" -a "$clear_tmp" = '"YES"' ] && echo on)
+disable_syslogd=$(sysrc -ef $BSDINSTALL_TMPETC/rc.conf.hardening syslogd_flags | cut -d = -f 2)
+disable_syslogd=$([ -n "$disable_syslogd" -a "$disable_syslogd" = '"-ss"' ] && echo on)
+secure_console=$([ -f $BSDINSTALL_TMPETC/ttys.hardening ] && grep -q 'unknown	off insecure' $BSDINSTALL_TMPETC/ttys.hardening && echo on)
+disable_ddtrace=$(grep -q '^security\.bsd\.allow_destructive_dtrace=0$' $BSDINSTALL_TMPBOOT/loader.conf.hardening && echo on)
+
+# reset the target files
+: > $BSDINSTALL_TMPETC/rc.conf.hardening
+: > $BSDINSTALL_TMPETC/sysctl.conf.hardening
+: > $BSDINSTALL_TMPBOOT/loader.conf.hardening
 
 exec 3>&1
 FEATURES=$( bsddialog --backtitle "$OSNAME Installer" \