As discussed previously, in order to introduce new OS hardening defaults, we've added them to bsdinstall in 'off by default' mode. It has been there for a while, so the next step is to change them to 'on by defaul' mode, so that in future we could simply enable them in base OS.
Details
Details
Apply the patch, build bsdinstall, run installer in a VM using built bsdinstall, review the end result /etc/sysctl.conf and /etc/rc.conf settings.
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
Comment Actions
I personally do not like the idea of defaulting 0-1 to on. I think that will be too much of a shock to new users and will hurt more than it helps.
Comment Actions
i'm ok with this. I think people can flip things back on if required. it's in -head, so we can gauge receptiveness.
Comment Actions
@brd these settings have been around forever. They've been introduced in bsdinstall as off-by-default exactly to flip them on later in bsdinstall and after that, to flip then on in the base OS. It's been used for ages, seems very stable and mature and add another security layer, where no amount of layers is enough. I think its a great, slow and stable way to not violate POLA and introduce better default FreeBSD settings, at least when it comes to security.
Comment Actions
I am aware they have been around forever, and I turned it on once and found it annoying and turned it back off. I feel like this doesn't really add any security but will negatively impact our new user experience. I think people that need or want this can turn it on at will, so leaving the default to off makes sense.