From owner-svn-src-head@freebsd.org Tue Jul 19 00:43:47 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EAEFBB9C069; Tue, 19 Jul 2016 00:43:47 +0000 (UTC) (envelope-from nwhitehorn@freebsd.org) Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D2E55194C; Tue, 19 Jul 2016 00:43:47 +0000 (UTC) (envelope-from nwhitehorn@freebsd.org) Received: from zeppelin.tachypleus.net (75-101-50-44.static.sonic.net [75.101.50.44]) (authenticated bits=0) by d.mail.sonic.net (8.15.1/8.15.1) with ESMTPSA id u6J0hdIe026866 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 18 Jul 2016 17:43:40 -0700 Subject: Re: svn commit: r302897 - head/usr.sbin/bsdinstall/scripts To: Bartek Rutkowski , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org References: <201607151507.u6FF7OGH090313@repo.freebsd.org> From: Nathan Whitehorn Message-ID: <1d8eded8-cb28-0fe0-341a-99d03e9fc768@freebsd.org> Date: Mon, 18 Jul 2016 17:43:39 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <201607151507.u6FF7OGH090313@repo.freebsd.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Sonic-CAuth: UmFuZG9tSVbHKZUKFt87Fv0pNQdlXq1Ai+D9Py1bA4ucwCIImiNZCf1cYq8x8ZQevhUP0hUB+rHkyseaGBCIFSgRwX4s8hbZqIlBF3fgm6U= X-Sonic-ID: C;vvTK1UlN5hGFmJNwxPCmMQ== M;Kr8M1klN5hGFmJNwxPCmMQ== X-Spam-Flag: No X-Sonic-Spam-Details: 0.0/5.0 by cerberusd X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2016 00:43:48 -0000 On 07/15/16 08:07, Bartek Rutkowski wrote: > Author: robak (ports committer) > Date: Fri Jul 15 15:07:24 2016 > New Revision: 302897 > URL: https://svnweb.freebsd.org/changeset/base/302897 > > Log: > Add new System Hardening menu and options to bsdinstall. > > This patch add new 'hardening' file responsible for new bsdinstall > 'System Hardening' menu allowing users to set some sane and carefully > picked system security options (like random process id's, hiding > other users/groups processes and others). > > All options are OFF by default in this patch due to POLA principle > with intention to turn change some of them to ON by default in future. > > Reviewed by: adrian, allanjude, bdrewery, nwhitehorn > Approved by: adrian, allanjude > MFC after: 7 days > Thanks for this! One nit below. > Modified: head/usr.sbin/bsdinstall/scripts/auto > ============================================================================== > --- head/usr.sbin/bsdinstall/scripts/auto Fri Jul 15 13:25:47 2016 (r302896) > +++ head/usr.sbin/bsdinstall/scripts/auto Fri Jul 15 15:07:24 2016 (r302897) > @@ -385,6 +385,7 @@ if [ "$NETCONFIG_DONE" != yes ]; then > fi > bsdinstall time > bsdinstall services > +bsdinstall hardening As discussed in the review, I'd prefer it if this were not here and only the part below (in the final menu) were present in the auto script, in particular for 11.0-RELEASE. This keeps the installer flow and avoids preventing the user with a new menu of optional off-by-default things that you have to get through to finish the installation (Handbook installation is in the same category). Would it be possible to change that? -Nathan > dialog --backtitle "FreeBSD Installer" --title "Add User Accounts" --yesno \ > "Would you like to add users to the installed system now?" 0 0 && \ > @@ -401,6 +402,7 @@ finalconfig() { > "Hostname" "Set system hostname" \ > "Network" "Networking configuration" \ > "Services" "Set daemons to run on startup" \ > + "System Hardening" "Set security options" \ > "Time Zone" "Set system timezone" \ > "Handbook" "Install FreeBSD Handbook (requires network)" 2>&1 1>&3) > exec 3>&- > @@ -426,6 +428,10 @@ finalconfig() { > bsdinstall services > finalconfig > ;; > + "System Hardening") > + bsdinstall hardening > + finalconfig > + ;; > "Time Zone") > bsdinstall time > finalconfig >