diff --git a/usr.sbin/bsdinstall/scripts/config b/usr.sbin/bsdinstall/scripts/config
--- a/usr.sbin/bsdinstall/scripts/config
+++ b/usr.sbin/bsdinstall/scripts/config
@@ -34,6 +34,12 @@
 cat $BSDINSTALL_CHROOT/etc/sysctl.conf $BSDINSTALL_TMPETC/sysctl.conf.* >> $BSDINSTALL_TMPETC/sysctl.conf
 rm $BSDINSTALL_TMPETC/sysctl.conf.*
 
+if [ -f $BSDINSTALL_TMPETC/newsyslog.conf.hardening  ]; then
+	cat $BSDINSTALL_TMPETC/newsyslog.conf.hardening > $BSDINSTALL_TMPETC/newsyslog.conf
+	rm -f $BSDINSTALL_TMPETC/newsyslog.conf.hardening
+	chmod 0600 $BSDINSTALL_CHROOT/var/log/messages
+fi
+
 if [ -f $BSDINSTALL_TMPETC/ttys.hardening ]; then
 	cat $BSDINSTALL_TMPETC/ttys.hardening > $BSDINSTALL_TMPETC/ttys
 	rm $BSDINSTALL_TMPETC/ttys.hardening
diff --git a/usr.sbin/bsdinstall/scripts/hardening b/usr.sbin/bsdinstall/scripts/hardening
--- a/usr.sbin/bsdinstall/scripts/hardening
+++ b/usr.sbin/bsdinstall/scripts/hardening
@@ -70,6 +70,9 @@
 		;;
 	read_msgbuf)
 		echo security.bsd.unprivileged_read_msgbuf=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
+		echo 'dmesg_umask="066"' >> $BSDINSTALL_TMPETC/rc.conf.hardening
+		sed "s|^/var/log/messages\t\t\t644|/var/log/messages\t\t\t600|" \
+		    $BSDINSTALL_CHROOT/etc/newsyslog.conf > $BSDINSTALL_TMPETC/newsyslog.conf.hardening
 		;;
 	proc_debug)
 		echo security.bsd.unprivileged_proc_debug=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening