diff --git a/en_US.ISO8859-1/books/handbook/Makefile b/en_US.ISO8859-1/books/handbook/Makefile index ad1490eb18..be3d4100eb 100644 --- a/en_US.ISO8859-1/books/handbook/Makefile +++ b/en_US.ISO8859-1/books/handbook/Makefile @@ -64,6 +64,7 @@ IMAGES_EN+= bsdinstall/bsdinstall-distfile-verifying.png IMAGES_EN+= bsdinstall/bsdinstall-final-confirmation.png IMAGES_EN+= bsdinstall/bsdinstall-finalconfiguration.png IMAGES_EN+= bsdinstall/bsdinstall-final-modification-shell.png +IMAGES_EN+= bsdinstall/bsdinstall-hardening.png IMAGES_EN+= bsdinstall/bsdinstall-keymap-10.png IMAGES_EN+= bsdinstall/bsdinstall-keymap-loading.png IMAGES_EN+= bsdinstall/bsdinstall-keymap-select-default.png diff --git a/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml b/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml index 08a27244c8..207a805bc4 100644 --- a/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml @@ -939,7 +939,7 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4. - After the keymaps have been loaded bsdinstall displays the + After the keymaps have been loaded bsdinstall displays the menu shown in . Use the up and down arrows to select the keymap that most closely represents the mapping of the keyboard attached to the system. @@ -2308,7 +2308,7 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4. ntpdate - Enable the automatic clock synchronization at boot time. The functionality of this program is now available in the ntpd daemon. After a - suitable period of mourning, the &man.ntpd.8; utility will + suitable period of mourning, the &man.ntpdate.8; utility will be retired. @@ -2332,6 +2332,112 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4. + + + Enabling Hardening Security Options + + The next menu is used to configure which security + options will be enabled. All of these options are optional. + But their use is encouraged. + +
+ Selecting Hardening Security Options + + + + + + +
+ + Here is a summary of the options which can be enabled in + this menu: + + + + hide_uids - Hide processes running + as other users to prevent the unprivileged users to see + other running processes in execution by other users (UID) + preventing information leakage. + + + + hide_gids - Hide processes running + as other groups to prevent the unprivileged users to see + other running processes in execution by other groups (GID) + preventing information leakage. + + + + hide_jail - Hide processes running + in jails to prevent the unprivileged users to see + processes running inside the jails. + + + + read_msgbuf - Disabling reading + kernel message buffer for unprivileged users prevent from + using &man.dmesg.8; to view messages from the kernel's log + buffer. + + + + proc_debug - Disabling process + debugging facilities for unprivileged users disables + a variety of unprivileged inter-process debugging + services, including some procfs functionality, ptrace(), + and ktrace(). Please note that this will also prevent + debugging tools, for instance &man.lldb.1;, &man.truss.1;, + &man.procstat.1;, as well as some built-in debugging + facilities in certain scripting language like PHP, etc., + from working for unprivileged users. + + + + random_pid - Randomize the PID of + newly created processes. + + + + clear_tmp - Clean + /tmp when the system starts + up. + + + + disable_syslogd - Disable opening + syslogd network socket. By + default &os; runs syslogd in a + secure way with -s. That prevents the + daemon from listening for incoming UDP requests + at port 514. With this option enabled + syslogd will run with the flag + -ss which prevents + syslogd from opening any port. + To get more information consult &man.syslogd.8;. + + + + disable_sendmail - Disable the + sendmail mail transport agent. + + + + secure_console - When this option + is enabled, the prompt requests the root password when + entering single. + + + + disable_ddtrace - &dtrace; can run + in a mode that will actually affect the running kernel. + Destructive actions may not be used unless they have + been explicitly enabled. To enable this option when using + &dtrace; use -w. To get more + information consult &man.dtrace.1;. + + + Add Users @@ -2538,6 +2644,11 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4. linkend="bsdinstall-sysconf"/>. + + System Hardening - Described in + . + + Time Zone - Described in . diff --git a/share/images/books/handbook/bsdinstall/bsdinstall-finalconfiguration.png b/share/images/books/handbook/bsdinstall/bsdinstall-finalconfiguration.png index a67d52d66f..aa09c2a8ce 100644 Binary files a/share/images/books/handbook/bsdinstall/bsdinstall-finalconfiguration.png and b/share/images/books/handbook/bsdinstall/bsdinstall-finalconfiguration.png differ diff --git a/share/images/books/handbook/bsdinstall/bsdinstall-hardening.png b/share/images/books/handbook/bsdinstall/bsdinstall-hardening.png new file mode 100644 index 0000000000..a1df8e49fa Binary files /dev/null and b/share/images/books/handbook/bsdinstall/bsdinstall-hardening.png differ