Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 2 Oct 2017 14:19:31 +0000 (UTC)
From:      Allan Jude <allanjude@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r324206 - head/usr.sbin/bsdinstall/scripts
Message-ID:  <201710021419.v92EJVQe071189@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: allanjude
Date: Mon Oct  2 14:19:31 2017
New Revision: 324206
URL: https://svnweb.freebsd.org/changeset/base/324206

Log:
  bsdinstall(8) hardening menu: Utilize new kern.randompid=1 behaviour
  
  Enabling the PID randomization option in bsdinstall(8)'s hardening menu
  now randomizes the effective value of kern.randompid on each boot.
  
  Previous behaviour:
  When kern.randompid was enabled via the the bsdinstall(8) hardening menu,
  a random value was generated and placed in the systems /etc/sysctl.conf as
  kern.randompid=value
  This makes the value of kern.randompid static across reboots.
  
  New behaviour:
  When kern.randompid is enabled via the bsdinstall(8) hardening menu, the
  line kern.randompid=1 is placed in the systems /etc/sysctl.conf.
  This takes advantage of a new kernel feature and makes the value of
  kern.randompid be randomized by the kernel on each reboot.
  
  Submitted by:	Marie Helene Kvello-Aune <marieheleneka@gmail.com>
  Reviewed by:	des
  MFC after:	2 weeks
  Differential Revision:	https://reviews.freebsd.org/D12433

Modified:
  head/usr.sbin/bsdinstall/scripts/hardening

Modified: head/usr.sbin/bsdinstall/scripts/hardening
==============================================================================
--- head/usr.sbin/bsdinstall/scripts/hardening	Mon Oct  2 12:54:01 2017	(r324205)
+++ head/usr.sbin/bsdinstall/scripts/hardening	Mon Oct  2 14:19:31 2017	(r324206)
@@ -66,7 +66,7 @@ for feature in $FEATURES; do
 		echo security.bsd.unprivileged_proc_debug=0 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
 	fi
 	if [ "$feature" = "random_pid" ]; then
-		echo kern.randompid=$(jot -r 1 9999) >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
+		echo kern.randompid=1 >> $BSDINSTALL_TMPETC/sysctl.conf.hardening
 	fi
 	if [ "$feature" = "clear_tmp" ]; then
 		echo 'clear_tmp_enable="YES"' >> $BSDINSTALL_TMPETC/rc.conf.hardening



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201710021419.v92EJVQe071189>