Add the hardening section to the handbook

Submitted by:	carlavilla@
Approved by:	bcr@
Differential Revision:	https://reviews.freebsd.org/D23996

en_US.ISO8859-1/books/handbook/Makefile

@@ -64,6 +64,7 @@ IMAGES_EN+= bsdinstall/bsdinstall-distfile-verifying.png
 IMAGES_EN+= bsdinstall/bsdinstall-final-confirmation.png
 IMAGES_EN+= bsdinstall/bsdinstall-finalconfiguration.png
 IMAGES_EN+= bsdinstall/bsdinstall-final-modification-shell.png
+IMAGES_EN+= bsdinstall/bsdinstall-hardening.png
 IMAGES_EN+= bsdinstall/bsdinstall-keymap-10.png
 IMAGES_EN+= bsdinstall/bsdinstall-keymap-loading.png
 IMAGES_EN+= bsdinstall/bsdinstall-keymap-select-default.png

en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml

@@ -939,7 +939,7 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</screen>
 	</mediaobject>
       </figure>
 
-      <para>After the keymaps have been loaded <application>bsdinstall</application> displays the
+      <para>After the keymaps have been loaded bsdinstall displays the
 	menu shown in <xref linkend="bsdinstall-keymap-10"/>.  Use the
 	up and down arrows to select the keymap that most closely
 	represents the mapping of the keyboard attached to the system.
@@ -2308,7 +2308,7 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</screen>
 	  <para><literal>ntpdate</literal> - Enable the automatic
 	    clock synchronization at boot time.  The functionality of
 	    this program is now available in the ntpd daemon.  After a
-	    suitable period of mourning, the &man.ntpd.8; utility will
+	    suitable period of mourning, the &man.ntpdate.8; utility will
 	    be retired.</para>
 	</listitem>
 
@@ -2332,6 +2332,112 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</screen>
 	</listitem>
 	</itemizedlist>
     </sect2>
+    
+    <sect2 xml:id="bsdinstall-hardening">
+      <title>Enabling Hardening Security Options</title>
+
+      <para>The next menu is used to configure which security
+	options will be enabled.  All of these options are optional.
+	But their use is encouraged.</para>
+
+      <figure xml:id="bsdinstall-hardening-options">
+	<title>Selecting Hardening Security Options</title>
+
+	<mediaobject>
+	  <imageobject>
+	    <imagedata fileref="bsdinstall/bsdinstall-hardening"/>
+	  </imageobject>
+	</mediaobject>
+      </figure>
+
+      <para>Here is a summary of the options which can be enabled in
+	this menu:</para>
+
+      <itemizedlist>
+	<listitem>
+	  <para><literal>hide_uids</literal> - Hide processes running
+	    as other users to prevent the unprivileged users to see
+	    other running processes in execution by other users (UID)
+	    preventing information leakage.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>hide_gids</literal> - Hide processes running
+	    as other groups to prevent the unprivileged users to see
+	    other running processes in execution by other groups (GID)
+	    preventing information leakage.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>hide_jail</literal> - Hide processes running
+	    in jails to prevent the unprivileged users to see
+	    processes running inside the jails.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>read_msgbuf</literal> - Disabling reading
+	    kernel message buffer for unprivileged users prevent from
+	    using &man.dmesg.8; to view messages from the kernel's log
+	    buffer.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>proc_debug</literal> - Disabling process
+	    debugging facilities for unprivileged users disables
+	    a variety of unprivileged inter-process debugging
+	    services, including some procfs functionality, ptrace(),
+	    and ktrace().  Please note that this will also prevent
+	    debugging tools, for instance &man.lldb.1;, &man.truss.1;,
+	    &man.procstat.1;, as well as some built-in debugging
+	    facilities in certain scripting language like PHP, etc.,
+	    from working for unprivileged users.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>random_pid</literal> - Randomize the PID of
+	    newly created processes.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>clear_tmp</literal> - Clean
+	    <filename>/tmp</filename> when the system starts
+	    up.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>disable_syslogd</literal> - Disable opening
+	    <application>syslogd</application> network socket.  By
+	    default &os; runs <application>syslogd</application> in a
+	    secure way with <command>-s</command>.  That prevents the
+	    daemon from listening for incoming UDP requests
+	    at port 514.  With this option enabled
+	    <application>syslogd</application> will run with the flag
+	    <command>-ss</command> which prevents
+	    <application>syslogd</application> from opening any port.
+	    To get more information consult &man.syslogd.8;.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>disable_sendmail</literal> - Disable the
+	    sendmail mail transport agent.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>secure_console</literal> - When this option
+	    is enabled, the prompt requests the root password when 
+	    entering single.</para>
+	</listitem>
+
+	<listitem>
+	  <para><literal>disable_ddtrace</literal> - &dtrace; can run
+	    in a mode that will actually affect the running kernel.
+	    Destructive actions may not be used unless they have
+	    been explicitly enabled.  To enable this option when using
+	    &dtrace; use <command>-w</command>.  To get more
+	    information consult &man.dtrace.1;.</para>
+	</listitem>
+      </itemizedlist>
+    </sect2>
 
     <sect2 xml:id="bsdinstall-addusers">
       <title>Add Users</title>
@@ -2538,6 +2644,11 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</screen>
 	      linkend="bsdinstall-sysconf"/>.</para>
 	</listitem>
 
+	<listitem>
+	  <para><literal>System Hardening</literal> - Described in
+	      <xref linkend="bsdinstall-hardening"/>.</para>
+	</listitem>
+
 	<listitem>
 	  <para><literal>Time Zone</literal> - Described in <xref
 	      linkend="bsdinstall-timezone"/>.</para>