Changes in hardening

c0e249d32c780ee8240fe8b3b8144078a8eec41f - bsdinstall: avoid conflicts with fd 3

Tue, 15 Aug 2023 17:44:02 +0200

bsdinstall: avoid conflicts with fd 3Throughout the bsdinstall script fd 3 is used by f_dprintf (set through$TERMINAL_STDOUT_PASSTHRU). In several places in the bsdinstalls scripts,we use fd 3 to juggle stdout when calling out to other tools, which cancause the installer to fail with a "Bad file descriptor" error whenf_dprintf attempts to use it.This commit replaces all constructs like this: exec 3>&1 SOME_VARIABLE=$(some command 2>&1 1>&3) exec 3>&-With: exec 5>&1 SOME_VARIABLE=$(some command 2>&1 1>&5) exec 5>&-PR: 273148Reviewed by: corvinkFixes: 1f7746d81f53447ac15cc99395bb714d4dd0a4da ("bsdinstall: stop messing with file descriptors")MFC after: 1 week List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf - Remove $FreeBSD$: one-line sh pattern

Wed, 16 Aug 2023 19:55:03 +0200

Remove $FreeBSD$: one-line sh patternRemove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

fe06db1817e0af6cbfa963598e249810773c115c - bsdinstall: remove sendmail hardening option

Thu, 01 Jun 2023 22:37:06 +0200

bsdinstall: remove sendmail hardening optionsendmail is fully disabled in 14.0 by defaultReviewed by: imp, emasteDifferential Revision: https://reviews.freebsd.org/D40367 List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

cc42ef5328963ee55c3305b136e9a86145f24594 - bsdinstall: allow whitelabeling the scripts

Tue, 24 May 2022 17:49:06 +0200

bsdinstall: allow whitelabeling the scriptsApproved by: allanjude, asicilianoDifferential Revision: https://reviews.freebsd.org/D35197Sponsored by: Rubicon Communications, LLC ("Netgate") List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

4d1ba6febfa7c7808027fd1ef60b3bffadd17853 - bsdinstall hardening: Replace dialog with bsddialog

Wed, 23 Mar 2022 00:52:22 +0100

bsdinstall hardening: Replace dialog with bsddialogbsdinstall/scripts/hardening: Replace (LGPL) dialog utility with(BSD-2-CLAUSE) dialog utility.Approved by: bapt (mentor)Differential Revision: https://reviews.freebsd.org/D34102 List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

bf410c6eda515364db5f6ed74b765efdec0595ae - Revert "bsdinstall: add knob to set ASLR sysctls"

Fri, 12 Nov 2021 20:32:57 +0100

Revert "bsdinstall: add knob to set ASLR sysctls"This reverts commit 020f4112559ebf7e94665c9a69f89d21929ce82a.Because now ASLR is enabled by default for 64-bit architecturesand the purpose of the installation menu is to allow choosingadditional 'mitigation'/'hardening' options that are originallydisabled, remove the ASLR knob from bsdinstall.Discussed with: emasteObtained from: SemihalfSponsored by: Stormshield List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

020f4112559ebf7e94665c9a69f89d21929ce82a - bsdinstall: add knob to set ASLR sysctls

Fri, 29 Jan 2021 20:15:28 +0100

bsdinstall: add knob to set ASLR sysctlsReviewed by: mwSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D28418 List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

fbc57e2df95b582f7d3287ed3919337bfec5711a - bsdinstall: replace multiple ifs with case

Fri, 29 Jan 2021 20:00:29 +0100

bsdinstall: replace multiple ifs with caseReduce copy-paste and use a more typical construct.Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D28417 List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

01d4e2149e5566e5d9394913dc9fb032da259e0b - MFH r338661 through r339200.

Fri, 05 Oct 2018 19:53:47 +0200

MFH r338661 through r339200.Sponsored by: The FreeBSD Foundation List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

ce44d808538c6e32a86b2d79302418d17b28a854 - Merge ^/head r338731 through r338987.

Thu, 27 Sep 2018 22:00:07 +0200

Merge ^/head r338731 through r338987. List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

c3afb29bb65fb372e2b892a4f486da1d3b9e2173 - Add an installer option to disable destructive dtrace.

Fri, 21 Sep 2018 11:27:32 +0200

Add an installer option to disable destructive dtrace.Submitted by: Jörg Pernfuß Approved by: re (kib)MFC after: 1 weekDifferential Revision: https://reviews.freebsd.org/D12474 List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

c2c014f24c10f90d85126ac5fbd4d8524de32b1c - Merge ^/head r323559 through r325504.

Tue, 07 Nov 2017 09:39:14 +0100

Merge ^/head r323559 through r325504. List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

50896984cd36c1724905e41819f5236399a4972d - MFhead@r324482

Tue, 10 Oct 2017 08:26:12 +0200

MFhead@r324482 List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

f78bd12d6dd612d76f9019fb5f94e614f78a7e7e - bsdinstall(8) hardening menu: Utilize new kern.randompid=1 behaviour

Mon, 02 Oct 2017 16:19:31 +0200

bsdinstall(8) hardening menu: Utilize new kern.randompid=1 behaviourEnabling the PID randomization option in bsdinstall(8)'s hardening menunow randomizes the effective value of kern.randompid on each boot.Previous behaviour:When kern.randompid was enabled via the the bsdinstall(8) hardening menu,a random value was generated and placed in the systems /etc/sysctl.conf askern.randompid=valueThis makes the value of kern.randompid static across reboots.New behaviour:When kern.randompid is enabled via the bsdinstall(8) hardening menu, theline kern.randompid=1 is placed in the systems /etc/sysctl.conf.This takes advantage of a new kernel feature and makes the value ofkern.randompid be randomized by the kernel on each reboot.Submitted by: Marie Helene Kvello-Aune Reviewed by: desMFC after: 2 weeksDifferential Revision: https://reviews.freebsd.org/D12433 List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

531c2d7af3cd2e64eec94aa1b19c4b2f16fce515 - MFhead@r320180

Mon, 24 Jul 2017 20:02:13 +0200

MFhead@r320180 List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

bca9d05fdb058aa709621661c2feccae8940d94b - Merge ^/head r319973 through 321382.

Sun, 23 Jul 2017 17:22:06 +0200

Merge ^/head r319973 through 321382. List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

90a5403fea4e5dc59918d4197456f90094b6f3fe - Merge ^/head r321307 through r321350.

Fri, 21 Jul 2017 20:54:34 +0200

Merge ^/head r321307 through r321350. List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

391aafd7abc06a8ec1c83cdbff07c13fb27e7560 - Remove stack guard option from hardening menu.

Fri, 21 Jul 2017 10:50:22 +0200

Remove stack guard option from hardening menu.Since kib's change the stack guard is now ON by default,this option in hardening menu of bsdinstall is no longer needed.Submitted by: Bartlomiej Rutkowski Reviewed by: baptApproved by: baptMFC after: 1 daySponsored by: Pixeware LTDDifferential Revision: https://reviews.freebsd.org/D11686 List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

d2043ca373caadb5ebf0b851bb440c67997a6232 - Merge ^/head r320573 through r320970.

Fri, 14 Jul 2017 00:01:38 +0200

Merge ^/head r320573 through r320970. List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening

2669f7ebf1997944a476f25fade18a6d6dbd6086 - usr.sbin/bsdinstall/scripts/hardening: fix options numbers

Thu, 06 Jul 2017 14:19:15 +0200

usr.sbin/bsdinstall/scripts/hardening: fix options numbersSubmitted by: Bartek Rutkowski Reviewed by: baptApproved by: baptMFC after: 1 dayDifferential Revision: https://reviews.freebsd.org/D11505 List of files: /freebsd/usr.sbin/bsdinstall/scripts/hardening