By default, the console is set to insecure in /etc/ttys resulting in no password prompt when the OS is booted in single-user mode in result lowering the physical security of the default installation. This patch adds new bsdinstall option to hardening section that allows users to change this behaviour to more secure one. It is OFF by default, so that we could introduce it without POLA violation and change it to ON by default later on, with the goal of changing it in the base OS at the end.
Details
Build yourself a bsdinstall with this patch, boot a machine, exit from installer, upload compiled patched bsdinstall version, run bsdinstall and pick the option in the hardening section. Verify the outcome after installation.
Diff Detail
- Lint
Lint Skipped - Unit
Tests Skipped
Event Timeline
I am not sure turning this one on by default in the future makes much sense.
It is not actually providing any real security. I can boot off of the freebsd install cd and mount the filesystem and have root access. If you really want to secure physically the system, you'd have to encrypt the disk.
It all depends on how you look at it @allanjude. If you think of it as 'one fix to rule them all' then yes, you are right, it does nothing. However, security comes in layers and its the accumulation of layers is what makes the system hard enough to penetrate that in effect it becomes 'unpenetrable' (as in: the effort outweights the benefits for most attackers, of course). You could argue that one could simply boot the server from a CD and this does nothing, sure. But I could argue that if one doesn't have a CD handy or the machine doesn't have CD drive and its USB drives are disabled in the BIOS, then this does a world of difference. In the same manner I could argue that encrypting drives does nothing but a slow down, once you have obtained physical access to the machine, so on, so forth - this leads nowhere when seen as a single solution in separation to all others.
That's why I believe this should go in, and after a while should be switched to ON by default. This one, and a few more I've coming ;)
Related to Allan's point, nothing in the hardening menu should ever be turned on by default. If we want to change the system defaults, we should change the system defaults. Having the defaults be different depending on whether the installer is used to set up the system is a super bad idea and one I would object to vigorously.
No objections to this patch as such, however.
@allanjude What are we going to do about this? Is bsdinstall change acceptable to you, or would you want me to create a patch for ttys instead? I'd like it to land already.
usr.sbin/bsdinstall/scripts/hardening | ||
---|---|---|
44 | "Set stack guard page ... to 512" is missing something. Maybe make this "Increase stack guard size to 2MB"? |
usr.sbin/bsdinstall/scripts/hardening | ||
---|---|---|
44 | Would 'Set stack guard page buffer size to 2MB' be OK? |