# FreeBSD 11 new installer options



## gkontos (Sep 25, 2016)

I installed today FreeBSD 11.0-RELEASE. (I know it is not officially announced but you can download it)
I noticed some new features in the installer. First you have the option to install the system with debug on:







The suggested partition schema was MBR and not GPT. At least in a 20GB VMWARE disk.
And finally some additional system security hardening options:






Impressive! Anyone knows what sysctl values those system security options affect?

Some are very obvious...


----------



## protocelt (Sep 25, 2016)

Hide processes running as other users = security.bsd.see_other_uids

Hide processes running as other groups = security.bsd.see_other_gids

Disable reading kernel message buffer for unprivileged users = security.bsd.unprivileged_read_msgbuf

Disable process debugging facilities for unprivileged users = security.bsd.unprivileged_proc_debug

Randomize the PID of newly created processes = kern.randompid

Insert stack guard page ahead of the growable segments = security.bsd.stack_guard_page
For reference: https://reviews.freebsd.org/D6826


----------



## gkontos (Sep 25, 2016)

Excellent, I need to find some time to test bhyve. Then, maybe I can get rid of all my Linux KVM servers!


----------



## cj572 (Oct 18, 2016)

Hi,
 I am still new to FreeBSD and I question about how to set the hardening. I want make my FreeBSD 11 as secure as possible. I Thank You for your time. CJ


----------



## xtaz (Oct 19, 2016)

If you haven't already set the options in the installer like in the screenshot above then edit /etc/sysctl.conf and add the following lines, and change the 1234 for a better random number of your choice.


```
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1234
security.bsd.stack_guard_page=1
```

They will only become active after a reboot. To make them active straight away simply run them on the command line using the `sysctl` command, like `sysctl security.bsd.see_other_uids=0`


----------



## SirDice (Oct 19, 2016)

This thread is a bit older but it should still apply: Thread 4108


----------



## cj572 (Oct 23, 2016)

Thank You for all info, I will use this info to setup my FreeBSD 11 system. 
  CJ


----------



## Deleted member 48958 (Dec 13, 2017)

Here is where it is possible to view all available options:
/usr/src/usr.sbin/bsdinstall/scripts/hardening

Here is all 12-CURRENT hardening options:
*Hide processes running as other users* - add _security.bsd.see_other_uids=0_ to /etc/sysctl.conf
*Hide processes running as other groups* - add _security.bsd.see_other_gids=0_ to /etc/sysctl.conf
*Hide processes running in jails* - add _security.bsd.see_jail_proc=0_ to /etc/sysctl.conf
*Disable reading kernel message buffer for unprivileged users* - add _security.bsd.unprivileged_read_msgbuf=0_ to /etc/sysctl.conf
*Disable process debugging facilities for unprivileged users* - add _security.bsd.unprivileged_proc_debug=0_ to /etc/sysctl.conf
*Randomize the PID of newly created processes* - add _kern.randompid=1_ to /etc/sysctl.conf
*Clean the /tmp filesystem on system startup* - add _clear_tmp_enable="YES"_ to /etc/rc.conf
*Disable opening Syslogd network socket (disables remote logging)* - add _syslogd_flags="-ss"_ to /etc/rc.conf
*Disable Sendmail service* - add _sendmail_enable="NONE"_  to /etc/rc.conf
*Enable console password prompt (ask root password in single user mode)* - replace 
	
	



```
console none                            unknown off [b]secure[/b]
```
 with
	
	



```
console none                            unknown off [b]insecure[/b]
```
 in /etc/ttys.


----------

