Index: usr.sbin/bsdinstall/scripts/config
===================================================================
--- usr.sbin/bsdinstall/scripts/config
+++ usr.sbin/bsdinstall/scripts/config
@@ -35,6 +35,11 @@
 cat $BSDINSTALL_CHROOT/etc/sysctl.conf $BSDINSTALL_TMPETC/sysctl.conf.hardening >> $BSDINSTALL_TMPETC/sysctl.conf
 rm $BSDINSTALL_TMPETC/sysctl.conf.*
 
+if [ -f $BSDINSTALL_TMPTEC/ttys.hardening ]; then
+	cat $BSDINSTALL_TMPTEC/ttys.hardening > $BSDINSTALL_TMPTEC/ttys
+	rm $BSDINSTALL_TMPTEC/ttys.hardening
+fi
+
 cp $BSDINSTALL_TMPETC/* $BSDINSTALL_CHROOT/etc
 
 cat $BSDINSTALL_TMPBOOT/loader.conf.* >> $BSDINSTALL_TMPBOOT/loader.conf
Index: usr.sbin/bsdinstall/scripts/hardening
===================================================================
--- usr.sbin/bsdinstall/scripts/hardening
+++ usr.sbin/bsdinstall/scripts/hardening
@@ -45,6 +45,7 @@
 	"6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-on} \
 	"7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-on} \
 	"8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-on} \
+	"9 secure_console" "Enable console password prompt in single-user mode" ${secure_console:-off} \
 2>&1 1>&3 )
 exec 3>&-
 
@@ -76,5 +77,8 @@
 	if [ "$feature" = "disable_sendmail" ]; then
 		echo 'sendmail_enable="NONE"' >> $BSDINSTALL_TMPETC/rc.conf.hardening
 	fi
+	if [ "$feature" = "secure_console" ]; then
+		sed "s/unknown	off secure/unknown	off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening
+	fi
 done