Date: Wed, 22 Feb 2017 09:31:38 -0800 From: John Baldwin <jhb@freebsd.org> To: =?utf-8?B?QmFydMWCb21pZWo=?= Rutkowski <robak@freebsd.org> Cc: Eric Badger <badger@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r314036 - head/usr.sbin/bsdinstall/scripts Message-ID: <1976446.uOnGb30fkc@ralph.baldwin.cx> In-Reply-To: <CAGFrfxapPqLWh7JZWKADmVrGG9XWrzHd3Pr8_j2AmzYW_0z%2BoQ@mail.gmail.com> References: <201702210937.v1L9bY6V093836@repo.freebsd.org> <28a4cf5e-2edd-3e30-9ecd-817f886e9ea3@FreeBSD.org> <CAGFrfxapPqLWh7JZWKADmVrGG9XWrzHd3Pr8_j2AmzYW_0z%2BoQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday, February 22, 2017 07:52:45 AM Bart=C5=82omiej Rutkowski w= rote: > On Tue, Feb 21, 2017 at 2:34 PM, Eric Badger <badger@freebsd.org> wro= te: >=20 > > On 02/21/2017 03:37 AM, Bartek Rutkowski wrote: > > > >> Author: robak (ports committer) > >> Date: Tue Feb 21 09:37:33 2017 > >> New Revision: 314036 > >> URL: https://svnweb.freebsd.org/changeset/base/314036 > >> > >> Log: > >> Enable bsdinstall hardening options by default. > >> > >> As discussed previously, in order to introduce new OS hardening > >> defaults, we've added them to bsdinstall in 'off by default' mod= e. > >> It has been there for a while, so the next step is to change the= m > >> to 'on by defaul' mode, so that in future we could simply enable= > >> them in base OS. > >> > >> Reviewed by: brd > >> Approved by: adrian > >> Differential Revision: https://reviews.freebsd.org/D9641 > >> > >> Modified: > >> head/usr.sbin/bsdinstall/scripts/hardening > >> > >> Modified: head/usr.sbin/bsdinstall/scripts/hardening > >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > >> --- head/usr.sbin/bsdinstall/scripts/hardening Tue Feb 21 09:33:2= 1 > >> 2017 (r314035) > >> +++ head/usr.sbin/bsdinstall/scripts/hardening Tue Feb 21 09:37:3= 3 > >> 2017 (r314036) > >> @@ -36,15 +36,15 @@ FEATURES=3D$( dialog --backtitle "FreeBSD > >> --title "System Hardening" --nocancel --separate-output \ > >> --checklist "Choose system security hardening options:" \ > >> 0 0 0 \ > >> - "0 hide_uids" "Hide processes running as other users" > >> ${hide_uids:-off} \ > >> - "1 hide_gids" "Hide processes running as other groups" > >> ${hide_gids:-off} \ > >> - "2 read_msgbuf" "Disable reading kernel message buffer for= > >> unprivileged users" ${read_msgbuf:-off} \ > >> - "3 proc_debug" "Disable process debugging facilities for > >> unprivileged users" ${proc_debug:-off} \ > >> - "4 random_pid" "Randomize the PID of newly created process= es" > >> ${random_pid:-off} \ > >> - "5 stack_guard" "Insert stack guard page ahead of the grow= able > >> segments" ${stack_guard:-off} \ > >> - "6 clear_tmp" "Clean the /tmp filesystem on system startup= " > >> ${clear_tmp:-off} \ > >> - "7 disable_syslogd" "Disable opening Syslogd network socke= t > >> (disables remote logging)" ${disable_syslogd:-off} \ > >> - "8 disable_sendmail" "Disable Sendmail service" > >> ${disable_sendmail:-off} \ > >> + "0 hide_uids" "Hide processes running as other users" > >> ${hide_uids:-on} \ > >> + "1 hide_gids" "Hide processes running as other groups" > >> ${hide_gids:-on} \ > >> + "2 read_msgbuf" "Disable reading kernel message buffer for= > >> unprivileged users" ${read_msgbuf:-on} \ > >> + "3 proc_debug" "Disable process debugging facilities for > >> unprivileged users" ${proc_debug:-on} \ > >> + "4 random_pid" "Randomize the PID of newly created process= es" > >> ${random_pid:-on} \ > >> + "5 stack_guard" "Insert stack guard page ahead of the grow= able > >> segments" ${stack_guard:-on} \ > >> + "6 clear_tmp" "Clean the /tmp filesystem on system startup= " > >> ${clear_tmp:-on} \ > >> + "7 disable_syslogd" "Disable opening Syslogd network socke= t > >> (disables remote logging)" ${disable_syslogd:-on} \ > >> + "8 disable_sendmail" "Disable Sendmail service" > >> ${disable_sendmail:-on} \ > >> 2>&1 1>&3 ) > >> exec 3>&- > >> > >> > >> > > Hi Bartek, > > > > Thanks for working on making it easier to harden FreeBSD. While def= aulting > > some of these options to "on" seem pretty harmless (e.g. random_pid= ), > > others are likely to cause confusion for new and experienced users = alike > > (e.g. proc_debug. I've never used that option before, so I gave it = a try. > > It simply causes gdb to hang when attempting to start a process, wi= th no > > obvious indication of why). I think more discussion is merited befo= re they > > are turned on by default; personally I think they have potential to= sour a > > first impression of FreeBSD by making things people are used to doi= ng on > > other OSes hard. >=20 >=20 > The audience of these changes is not someone like you, who's using gd= b > daily. The audience is the new users who often don't know what they'r= e > doing, why they're doing that and how to do differently, especially w= hen it > comes to the security. Power users in most cases don't use bsdinstall= to > install their systems, they use automation of some sort to fine tune = the OS > exactly to their needs and use case, and in their case this change is= > transparent and doesn't affect them. What it affects is the default F= reeBSD > installation and our poor track record of default installation securi= ty and > great track record for not changing and improving things just becuase= > they've been like that for past decade. Please don't turn FreeBSD into a system that is a pain to develop on. = For my undergrad students who do their work in Linux VMs I have multiple times= ended up unable to find a core dump in Ubuntu because of it's weird core dump= setup. One of my assignments is to write a simple shell that forks off new pro= cesses to call exec and you can't debug that out of the box on OS X either (gd= b can't start new processes without mucking with a security setting and t= hen rebooting, and lldb doesn't have the required functionality of followin= g forks). Right now FreeBSD is actually the most usable of the three systems for = this sort of thing. I think disabling proc_debug by default will be a simil= ar PITA much as Ubuntu. --=20 John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1976446.uOnGb30fkc>