Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 22 Feb 2017 07:52:45 +0000
From:      =?UTF-8?Q?Bart=C5=82omiej_Rutkowski?= <robak@freebsd.org>
To:        Eric Badger <badger@freebsd.org>
Cc:        Bartek Rutkowski <robak@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r314036 - head/usr.sbin/bsdinstall/scripts
Message-ID:  <CAGFrfxapPqLWh7JZWKADmVrGG9XWrzHd3Pr8_j2AmzYW_0z%2BoQ@mail.gmail.com>
In-Reply-To: <28a4cf5e-2edd-3e30-9ecd-817f886e9ea3@FreeBSD.org>
References:  <201702210937.v1L9bY6V093836@repo.freebsd.org> <28a4cf5e-2edd-3e30-9ecd-817f886e9ea3@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 21, 2017 at 2:34 PM, Eric Badger <badger@freebsd.org> wrote:

> On 02/21/2017 03:37 AM, Bartek Rutkowski wrote:
>
>> Author: robak (ports committer)
>> Date: Tue Feb 21 09:37:33 2017
>> New Revision: 314036
>> URL: https://svnweb.freebsd.org/changeset/base/314036
>>
>> Log:
>>   Enable bsdinstall hardening options by default.
>>
>>   As discussed previously, in order to introduce new OS hardening
>>   defaults, we've added them to bsdinstall in 'off by default' mode.
>>   It has been there for a while, so the next step is to change them
>>   to 'on by defaul' mode, so that in future we could simply enable
>>   them in base OS.
>>
>>   Reviewed by:  brd
>>   Approved by:  adrian
>>   Differential Revision:        https://reviews.freebsd.org/D9641
>>
>> Modified:
>>   head/usr.sbin/bsdinstall/scripts/hardening
>>
>> Modified: head/usr.sbin/bsdinstall/scripts/hardening
>> ============================================================
>> ==================
>> --- head/usr.sbin/bsdinstall/scripts/hardening  Tue Feb 21 09:33:21
>> 2017        (r314035)
>> +++ head/usr.sbin/bsdinstall/scripts/hardening  Tue Feb 21 09:37:33
>> 2017        (r314036)
>> @@ -36,15 +36,15 @@ FEATURES=$( dialog --backtitle "FreeBSD
>>      --title "System Hardening" --nocancel --separate-output \
>>      --checklist "Choose system security hardening options:" \
>>      0 0 0 \
>> -       "0 hide_uids" "Hide processes running as other users"
>> ${hide_uids:-off} \
>> -       "1 hide_gids" "Hide processes running as other groups"
>> ${hide_gids:-off} \
>> -       "2 read_msgbuf" "Disable reading kernel message buffer for
>> unprivileged users" ${read_msgbuf:-off} \
>> -       "3 proc_debug" "Disable process debugging facilities for
>> unprivileged users" ${proc_debug:-off} \
>> -       "4 random_pid" "Randomize the PID of newly created processes"
>> ${random_pid:-off} \
>> -       "5 stack_guard" "Insert stack guard page ahead of the growable
>> segments" ${stack_guard:-off} \
>> -       "6 clear_tmp" "Clean the /tmp filesystem on system startup"
>> ${clear_tmp:-off} \
>> -       "7 disable_syslogd" "Disable opening Syslogd network socket
>> (disables remote logging)" ${disable_syslogd:-off} \
>> -       "8 disable_sendmail" "Disable Sendmail service"
>> ${disable_sendmail:-off} \
>> +       "0 hide_uids" "Hide processes running as other users"
>> ${hide_uids:-on} \
>> +       "1 hide_gids" "Hide processes running as other groups"
>> ${hide_gids:-on} \
>> +       "2 read_msgbuf" "Disable reading kernel message buffer for
>> unprivileged users" ${read_msgbuf:-on} \
>> +       "3 proc_debug" "Disable process debugging facilities for
>> unprivileged users" ${proc_debug:-on} \
>> +       "4 random_pid" "Randomize the PID of newly created processes"
>> ${random_pid:-on} \
>> +       "5 stack_guard" "Insert stack guard page ahead of the growable
>> segments" ${stack_guard:-on} \
>> +       "6 clear_tmp" "Clean the /tmp filesystem on system startup"
>> ${clear_tmp:-on} \
>> +       "7 disable_syslogd" "Disable opening Syslogd network socket
>> (disables remote logging)" ${disable_syslogd:-on} \
>> +       "8 disable_sendmail" "Disable Sendmail service"
>> ${disable_sendmail:-on} \
>>  2>&1 1>&3 )
>>  exec 3>&-
>>
>>
>>
> Hi Bartek,
>
> Thanks for working on making it easier to harden FreeBSD. While defaulting
> some of these options to "on" seem pretty harmless (e.g. random_pid),
> others are likely to cause confusion for new and experienced users alike
> (e.g. proc_debug. I've never used that option before, so I gave it a try.
> It simply causes gdb to hang when attempting to start a process, with no
> obvious indication of why). I think more discussion is merited before they
> are turned on by default; personally I think they have potential to sour a
> first impression of FreeBSD by making things people are used to doing on
> other OSes hard.


The audience of these changes is not someone like you, who's using gdb
daily. The audience is the new users who often don't know what they're
doing, why they're doing that and how to do differently, especially when it
comes to the security. Power users in most cases don't use bsdinstall to
install their systems, they use automation of some sort to fine tune the OS
exactly to their needs and use case, and in their case this change is
transparent and doesn't affect them. What it affects is the default FreeBSD
installation and our poor track record of default installation security and
great track record for not changing and improving things just becuase
they've been like that for past decade.

Kind regards,
Bartek Rutkowski



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGFrfxapPqLWh7JZWKADmVrGG9XWrzHd3Pr8_j2AmzYW_0z%2BoQ>