Index: head/usr.sbin/bsdinstall/scripts/config
===================================================================
--- head/usr.sbin/bsdinstall/scripts/config
+++ head/usr.sbin/bsdinstall/scripts/config
@@ -35,6 +35,11 @@
 cat $BSDINSTALL_CHROOT/etc/sysctl.conf $BSDINSTALL_TMPETC/sysctl.conf.* >> $BSDINSTALL_TMPETC/sysctl.conf
 rm $BSDINSTALL_TMPETC/sysctl.conf.*
 
+if [ -f $BSDINSTALL_TMPTEC/ttys.hardening ]; then
+	cat $BSDINSTALL_TMPTEC/ttys.hardening > $BSDINSTALL_TMPTEC/ttys
+	rm $BSDINSTALL_TMPTEC/ttys.hardening
+fi
+
 cp $BSDINSTALL_TMPETC/* $BSDINSTALL_CHROOT/etc
 
 cat $BSDINSTALL_TMPBOOT/loader.conf.* >> $BSDINSTALL_TMPBOOT/loader.conf
Index: head/usr.sbin/bsdinstall/scripts/hardening
===================================================================
--- head/usr.sbin/bsdinstall/scripts/hardening
+++ head/usr.sbin/bsdinstall/scripts/hardening
@@ -42,10 +42,11 @@
 	"3 read_msgbuf" "Disable reading kernel message buffer for unprivileged users" ${read_msgbuf:-off} \
 	"4 proc_debug" "Disable process debugging facilities for unprivileged users" ${proc_debug:-off} \
 	"5 random_pid" "Randomize the PID of newly created processes" ${random_pid:-off} \
-	"6 stack_guard" "Insert stack guard page ahead of the growable segments" ${stack_guard:-off} \
+	"6 stack_guard" "Set stack guard buffer size to 2MB" ${stack_guard:-off} \
 	"7 clear_tmp" "Clean the /tmp filesystem on system startup" ${clear_tmp:-off} \
 	"8 disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} \
 	"9 disable_sendmail" "Disable Sendmail service" ${disable_sendmail:-off} \
+	"9 secure_console" "Enable console password prompt" ${secure_console:-off} \
 2>&1 1>&3 )
 exec 3>&-
 
@@ -69,7 +70,7 @@
 		echo kern.randompid=$(jot -r 1 9999) >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
 	fi
 	if [ "$feature" = "stack_guard" ]; then
-		echo security.bsd.stack_guard_page=1 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
+		echo security.bsd.stack_guard_page=512 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
 	fi
 	if [ "$feature" = "clear_tmp" ]; then
 		echo 'clear_tmp_enable="YES"' >> $BSDINSTALL_TMPETC/rc.conf.hardening
@@ -79,6 +80,9 @@
 	fi
 	if [ "$feature" = "disable_sendmail" ]; then
 		echo 'sendmail_enable="NONE"' >> $BSDINSTALL_TMPETC/rc.conf.hardening
+	fi
+	if [ "$feature" = "secure_console" ]; then
+		sed "s/unknown	off secure/unknown	off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening
 	fi
 done