Changeset View
Changeset View
Standalone View
Standalone View
usr.sbin/bsdinstall/scripts/hardening
| Show All 22 Lines | |||||
| # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||
| # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||
| # SUCH DAMAGE. | # SUCH DAMAGE. | ||||
| # | # | ||||
| # $FreeBSD$ | # $FreeBSD$ | ||||
| : ${DIALOG_OK=0} | : ${DIALOG_OK=0} | ||||
| set_aslr_sysctls() | |||||
| { | |||||
| for bit in 32 64; do | |||||
| if ! sysctl -Nq kern.elf$bit.aslr.enable >/dev/null; then | |||||
| continue | |||||
| fi | |||||
| cat >> $BSDINSTALL_TMPETC/sysctl.conf.hardening <<-EOF | |||||
| kern.elf$bit.aslr.enable=1 | |||||
| kern.elf$bit.aslr.pie_enable=1 | |||||
| kern.elf$bit.aslr.honor_sbrk=0 | |||||
| EOF | |||||
| done | |||||
| } | |||||
| echo -n > $BSDINSTALL_TMPETC/rc.conf.hardening | echo -n > $BSDINSTALL_TMPETC/rc.conf.hardening | ||||
| echo -n > $BSDINSTALL_TMPETC/sysctl.conf.hardening | echo -n > $BSDINSTALL_TMPETC/sysctl.conf.hardening | ||||
| echo -n > $BSDINSTALL_TMPBOOT/loader.conf.hardening | echo -n > $BSDINSTALL_TMPBOOT/loader.conf.hardening | ||||
| exec 3>&1 | exec 3>&1 | ||||
| FEATURES=$( dialog --backtitle "FreeBSD Installer" \ | FEATURES=$( dialog --backtitle "FreeBSD Installer" \ | ||||
| --title "System Hardening" --nocancel --separate-output \ | --title "System Hardening" --nocancel --separate-output \ | ||||
| --checklist "Choose system security hardening options:" \ | --checklist "Choose system security hardening options:" \ | ||||
| 0 0 0 \ | 0 0 0 \ | ||||
| "0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \ | "0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \ | ||||
| "1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \ | "1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \ | ||||
| "2 hide_jail" "Hide processes running in jails" ${hide_jail:-off} \ | "2 hide_jail" "Hide processes running in jails" ${hide_jail:-off} \ | ||||
| "3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ | "3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ | ||||
| "4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ | "4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ | ||||
| "5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ | "5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ | ||||
| "6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ | "6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ | ||||
| "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ | "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ | ||||
| "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ | "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ | ||||
| "9 secure_console" "Enable console password prompt" ${secure_console:-off} \ | "9 secure_console" "Enable console password prompt" ${secure_console:-off} \ | ||||
| "10 disable_ddtrace" "Disallow DTrace destructive-mode" ${disable_ddtrace:-off} \ | "10 disable_ddtrace" "Disallow DTrace destructive-mode" ${disable_ddtrace:-off} \ | ||||
| "11 enable_aslr" "Enable address layout randomization" ${enable_aslr:-off} \ | |||||
| 2>&1 1>&3 ) | 2>&1 1>&3 ) | ||||
| exec 3>&- | exec 3>&- | ||||
| for feature in $FEATURES; do | for feature in $FEATURES; do | ||||
emaste: oops, will delete this | |||||
Not Done Inline ActionsThe patch LGTM, I'll approve after the debug echo disappears :) mw: The patch LGTM, I'll approve after the debug echo disappears :) | |||||
Done Inline ActionsI also need to get D28417 in first emaste: I also need to get D28417 in first | |||||
| case "$feature" in | case "$feature" in | ||||
| hide_uids) | hide_uids) | ||||
| echo security.bsd.see_other_uids=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening | echo security.bsd.see_other_uids=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening | ||||
| ;; | ;; | ||||
| hide_gids) | hide_gids) | ||||
| echo security.bsd.see_other_gids=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening | echo security.bsd.see_other_gids=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening | ||||
| ;; | ;; | ||||
| hide_jail) | hide_jail) | ||||
| Show All 17 Lines | for feature in $FEATURES; do | ||||
| disable_sendmail) | disable_sendmail) | ||||
| echo 'sendmail_enable="NONE"' >> $BSDINSTALL_TMPETC/rc.conf.hardening | echo 'sendmail_enable="NONE"' >> $BSDINSTALL_TMPETC/rc.conf.hardening | ||||
| ;; | ;; | ||||
| secure_console) | secure_console) | ||||
| sed "s/unknown off secure/unknown off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening | sed "s/unknown off secure/unknown off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening | ||||
| ;; | ;; | ||||
| disable_ddtrace) | disable_ddtrace) | ||||
| echo 'security.bsd.allow_destructive_dtrace=0' >> $BSDINSTALL_TMPBOOT/loader.conf.hardening | echo 'security.bsd.allow_destructive_dtrace=0' >> $BSDINSTALL_TMPBOOT/loader.conf.hardening | ||||
| ;; | |||||
| enable_aslr) | |||||
| set_aslr_sysctls | |||||
| ;; | ;; | ||||
| esac | esac | ||||
| done | done | ||||
oops, will delete this