Changeset View
Changeset View
Standalone View
Standalone View
usr.sbin/bsdinstall/scripts/hardening
Show All 22 Lines | |||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||
# SUCH DAMAGE. | # SUCH DAMAGE. | ||||
# | # | ||||
# $FreeBSD$ | # $FreeBSD$ | ||||
: ${DIALOG_OK=0} | : ${DIALOG_OK=0} | ||||
set_aslr_sysctls() | |||||
{ | |||||
for bit in 32 64; do | |||||
if ! sysctl -Nq kern.elf$bit.aslr.enable >/dev/null; then | |||||
continue | |||||
fi | |||||
cat >> $BSDINSTALL_TMPETC/sysctl.conf.hardening <<-EOF | |||||
kern.elf$bit.aslr.enable=1 | |||||
kern.elf$bit.aslr.pie_enable=1 | |||||
kern.elf$bit.aslr.honor_sbrk=0 | |||||
EOF | |||||
done | |||||
} | |||||
echo -n > $BSDINSTALL_TMPETC/rc.conf.hardening | echo -n > $BSDINSTALL_TMPETC/rc.conf.hardening | ||||
echo -n > $BSDINSTALL_TMPETC/sysctl.conf.hardening | echo -n > $BSDINSTALL_TMPETC/sysctl.conf.hardening | ||||
echo -n > $BSDINSTALL_TMPBOOT/loader.conf.hardening | echo -n > $BSDINSTALL_TMPBOOT/loader.conf.hardening | ||||
exec 3>&1 | exec 3>&1 | ||||
FEATURES=$( dialog --backtitle "FreeBSD Installer" \ | FEATURES=$( dialog --backtitle "FreeBSD Installer" \ | ||||
--title "System Hardening" --nocancel --separate-output \ | --title "System Hardening" --nocancel --separate-output \ | ||||
--checklist "Choose system security hardening options:" \ | --checklist "Choose system security hardening options:" \ | ||||
0 0 0 \ | 0 0 0 \ | ||||
"0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \ | "0 hide_uids" "Hide processes running as other users" ${hide_uids:-off} \ | ||||
"1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \ | "1 hide_gids" "Hide processes running as other groups" ${hide_gids:-off} \ | ||||
"2 hide_jail" "Hide processes running in jails" ${hide_jail:-off} \ | "2 hide_jail" "Hide processes running in jails" ${hide_jail:-off} \ | ||||
"3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ | "3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \ | ||||
"4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ | "4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \ | ||||
"5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ | "5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \ | ||||
"6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ | "6 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \ | ||||
"7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ | "7 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \ | ||||
"8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ | "8 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \ | ||||
"9 secure_console" "Enable console password prompt" ${secure_console:-off} \ | "9 secure_console" "Enable console password prompt" ${secure_console:-off} \ | ||||
"10 disable_ddtrace" "Disallow DTrace destructive-mode" ${disable_ddtrace:-off} \ | "10 disable_ddtrace" "Disallow DTrace destructive-mode" ${disable_ddtrace:-off} \ | ||||
"11 enable_aslr" "Enable address layout randomization" ${enable_aslr:-off} \ | |||||
2>&1 1>&3 ) | 2>&1 1>&3 ) | ||||
exec 3>&- | exec 3>&- | ||||
for feature in $FEATURES; do | for feature in $FEATURES; do | ||||
emaste: oops, will delete this | |||||
Not Done Inline ActionsThe patch LGTM, I'll approve after the debug echo disappears :) mw: The patch LGTM, I'll approve after the debug echo disappears :) | |||||
Done Inline ActionsI also need to get D28417 in first emaste: I also need to get D28417 in first | |||||
case "$feature" in | case "$feature" in | ||||
hide_uids) | hide_uids) | ||||
echo security.bsd.see_other_uids=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening | echo security.bsd.see_other_uids=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening | ||||
;; | ;; | ||||
hide_gids) | hide_gids) | ||||
echo security.bsd.see_other_gids=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening | echo security.bsd.see_other_gids=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening | ||||
;; | ;; | ||||
hide_jail) | hide_jail) | ||||
Show All 17 Lines | for feature in $FEATURES; do | ||||
disable_sendmail) | disable_sendmail) | ||||
echo 'sendmail_enable="NONE"' >> $BSDINSTALL_TMPETC/rc.conf.hardening | echo 'sendmail_enable="NONE"' >> $BSDINSTALL_TMPETC/rc.conf.hardening | ||||
;; | ;; | ||||
secure_console) | secure_console) | ||||
sed "s/unknown off secure/unknown off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening | sed "s/unknown off secure/unknown off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening | ||||
;; | ;; | ||||
disable_ddtrace) | disable_ddtrace) | ||||
echo 'security.bsd.allow_destructive_dtrace=0' >> $BSDINSTALL_TMPBOOT/loader.conf.hardening | echo 'security.bsd.allow_destructive_dtrace=0' >> $BSDINSTALL_TMPBOOT/loader.conf.hardening | ||||
;; | |||||
enable_aslr) | |||||
set_aslr_sysctls | |||||
;; | ;; | ||||
esac | esac | ||||
done | done | ||||
oops, will delete this