1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-14 10:09:48 +00:00

Moved descriptions of securelevels from init(7) to security(7).

Files used both "securelevel" and either "secure level" or
"security level"; all are now "security level".

PR:             docs/84266
Submitted by:   garys
Approved by:    keramida
MFC after:      3 days
This commit is contained in:
Gary W. Swearingen 2005-09-03 17:16:00 +00:00
parent a01459df60
commit e17c0e3256
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=149766
2 changed files with 68 additions and 69 deletions

View File

@ -87,58 +87,9 @@ The password check is skipped if the
is marked as
.Dq secure .
.Pp
The kernel runs with five different levels of security.
Any super-user process can raise the security level, but no process
can lower it.
The security levels are:
.Bl -tag -width flag
.It Ic -1
Permanently insecure mode \- always run the system in level 0 mode.
This is the default initial value.
.It Ic 0
Insecure mode \- immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
.It Ic 1
Secure mode \- the system immutable and system append-only flags may not
be turned off;
disks for mounted file systems,
.Pa /dev/mem ,
.Pa /dev/kmem
and
.Pa /dev/io
(if your platform has it) may not be opened for writing;
kernel modules (see
.Xr kld 4 )
may not be loaded or unloaded.
.It Ic 2
Highly secure mode \- same as secure mode, plus disks may not be
opened for writing (except by
.Xr mount 2 )
whether mounted or not.
This level precludes tampering with file systems by unmounting them,
but also inhibits running
.Xr newfs 8
while the system is multi-user.
.Pp
In addition, kernel time changes are restricted to less than or equal to one
second.
Attempts to change the time by more than this will log the message
.Dq Time adjustment clamped to +1 second .
.It Ic 3
Network secure mode \- same as highly secure mode, plus
IP packet filter rules (see
.Xr ipfw 8 ,
.Xr ipfirewall 4
and
.Xr pfctl 8 )
cannot be changed and
.Xr dummynet 4
or
.Xr pf 4
configuration cannot be adjusted.
.El
.Pp
If the security level is initially nonzero, then
If the system security level (see
.Xr security 7 )
is initially nonzero, then
.Nm
leaves it unchanged.
Otherwise,
@ -161,9 +112,7 @@ is run in a jail, the security level of the
.Dq host system
will not be effected.
Part of the information set up in the kernel to support a jail
is a per-jail
.Dq securelevel
setting.
is a per-jail security level.
This allows running a higher security level inside of a jail
than that of the host system.
See
@ -392,19 +341,13 @@ a persistent device error condition.
.Xr kill 1 ,
.Xr login 1 ,
.Xr sh 1 ,
.Xr dummynet 4 ,
.Xr ipfirewall 4 ,
.Xr kld 4 ,
.Xr pf 4 ,
.Xr ttys 5 ,
.Xr crash 8 ,
.Xr getty 8 ,
.Xr halt 8 ,
.Xr ipfw 8 ,
.Xr jail 8 ,
.Xr pfctl 8 ,
.Xr rc 8 ,
.Xr reboot 8 ,
.Xr security 7 ,
.Xr shutdown 8 ,
.Xr sysctl 8
.Sh HISTORY

View File

@ -498,14 +498,14 @@ his own
.Xr bpf 4
device or other sniffing device on a running kernel.
To avoid these problems you have to run
the kernel at a higher secure level, at least securelevel 1.
The securelevel can be set with a
the kernel at a higher security level, at least level 1.
The security level can be set with a
.Xr sysctl 8
on the
.Va kern.securelevel
variable.
Once you have
set the securelevel to 1, write access to raw devices will be denied and
set the security level to 1, write access to raw devices will be denied and
special
.Xr chflags 1
flags, such as
@ -515,12 +515,12 @@ You must also ensure
that the
.Cm schg
flag is set on critical startup binaries, directories, and
script files \(em everything that gets run up to the point where the securelevel
is set.
script files \(em everything that gets run
up to the point where the security level is set.
This might be overdoing it, and upgrading the system is much more
difficult when you operate at a higher secure level.
difficult when you operate at a higher security level.
You may compromise and
run the system at a higher secure level but not set the
run the system at a higher security level but not set the
.Cm schg
flag for every
system file and directory under the sun.
@ -533,6 +533,62 @@ read-only.
It should be noted that being too draconian in
what you attempt to protect may prevent the all-important detection of an
intrusion.
.Pp
The kernel runs with five different security levels.
Any super-user process can raise the level, but no process
can lower it.
The security levels are:
.Bl -tag -width flag
.It Ic -1
Permanently insecure mode \- always run the system in insecure mode.
This is the default initial value.
.It Ic 0
Insecure mode \- immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
.It Ic 1
Secure mode \- the system immutable and system append-only flags may not
be turned off;
disks for mounted file systems,
.Pa /dev/mem ,
.Pa /dev/kmem
and
.Pa /dev/io
(if your platform has it) may not be opened for writing;
kernel modules (see
.Xr kld 4 )
may not be loaded or unloaded.
.It Ic 2
Highly secure mode \- same as secure mode, plus disks may not be
opened for writing (except by
.Xr mount 2 )
whether mounted or not.
This level precludes tampering with file systems by unmounting them,
but also inhibits running
.Xr newfs 8
while the system is multi-user.
.Pp
In addition, kernel time changes are restricted to less than or equal to one
second.
Attempts to change the time by more than this will log the message
.Dq Time adjustment clamped to +1 second .
.It Ic 3
Network secure mode \- same as highly secure mode, plus
IP packet filter rules (see
.Xr ipfw 8 ,
.Xr ipfirewall 4
and
.Xr pfctl 8 )
cannot be changed and
.Xr dummynet 4
or
.Xr pf 4
configuration cannot be adjusted.
.El
.Pp
The security level is discussed further in
.Xr init 8
and can be configured with variables documented in
.Xr rc.conf 8 .
.Sh CHECKING FILE INTEGRITY: BINARIES, CONFIG FILES, ETC
When it comes right down to it, you can only protect your core system
configuration and control files so much before the convenience factor