From 6b11c65693c86c7f3e46be16de7877ffb662bba5 Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <pierre@freebsdfoundation.org>
Date: Fri, 28 Jul 2023 18:19:21 +0200
Subject: [PATCH] hardening: remember the answers to each item

With this change, the settings for all 9 possible hardening options are
remembered when re-entering this menu.

PR:             #236410
Sponsored by:   The FreeBSD Foundation
---
 scripts/hardening | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/scripts/hardening b/scripts/hardening
index 99ffe18..019b51e 100755
--- a/scripts/hardening
+++ b/scripts/hardening
@@ -32,9 +32,31 @@
 
 : ${BSDDIALOG_OK=0}
 
-echo -n > $BSDINSTALL_TMPETC/rc.conf.hardening
-echo -n > $BSDINSTALL_TMPETC/sysctl.conf.hardening
-echo -n > $BSDINSTALL_TMPBOOT/loader.conf.hardening
+# make sure the target files exist
+touch $BSDINSTALL_TMPETC/rc.conf.hardening
+touch $BSDINSTALL_TMPETC/sysctl.conf.hardening
+touch $BSDINSTALL_TMPBOOT/loader.conf.hardening
+
+# load the current settings
+hide_uids=$(grep -q '^security\.bsd\.see_other_uids=0$' $BSDINSTALL_TMPETC/sysctl.conf.hardening && echo on)
+hide_gids=$(grep -q '^security\.bsd\.see_other_gids=0$' $BSDINSTALL_TMPETC/sysctl.conf.hardening && echo on)
+hide_jail=$(grep -q '^security\.bsd\.see_jail_proc=0$' $BSDINSTALL_TMPETC/sysctl.conf.hardening && echo on)
+read_msgbuf=$(grep -q '^security\.bsd\.unprivileged_read_msgbuf=0$' $BSDINSTALL_TMPETC/sysctl.conf.hardening && echo on)
+proc_debug=$(grep -q '^security\.bsd\.unprivileged_proc_debug=0$' $BSDINSTALL_TMPETC/sysctl.conf.hardening && echo on)
+random_pid=$(grep -q '^kern\.randompid=1$' $BSDINSTALL_TMPETC/sysctl.conf.hardening && echo on)
+clear_tmp=$(sysrc -ef $BSDINSTALL_TMPETC/rc.conf.hardening clear_tmp_enable)
+clear_tmp=${clear_tmp#*=}
+[ -n "$clear_tmp" -a "$clear_tmp" = '"YES"' ] && clear_tmp="on"
+disable_syslogd=$(sysrc -ef $BSDINSTALL_TMPETC/rc.conf.hardening syslogd_flags)
+disable_syslogd=${disable_syslogd#*=}
+[ -n "$disable_syslogd" -a "$disable_syslogd" = '"-ss"' ] && disable_syslogd="on"
+secure_console=$([ -f $BSDINSTALL_TMPETC/ttys.hardening ] && grep -q 'unknown	off insecure' $BSDINSTALL_TMPETC/ttys.hardening && echo "on")
+disable_ddtrace=$(grep -q '^security\.bsd\.allow_destructive_dtrace=0$' $BSDINSTALL_TMPBOOT/loader.conf.hardening && echo on)
+
+# reset the target files
+: > $BSDINSTALL_TMPETC/rc.conf.hardening
+: > $BSDINSTALL_TMPETC/sysctl.conf.hardening
+: > $BSDINSTALL_TMPBOOT/loader.conf.hardening
 
 exec 3>&1
 FEATURES=$( bsddialog --backtitle "$OSNAME Installer" \
-- 
2.41.0