Securelevel Option in rc.conf

From FreeBSDwiki
Jump to: navigation, search

Securelevel Option in rc.conf

The kernel runs with five different levels of security. Any super-user process can raise the security level, but no process can lower it. The security levels are:

-1 Permanently insecure mode - always run the system in level 0 mode.

This is the default initial value.

0 Insecure mode - immutable and append-only flags may be turned off; all devices may be read or written subject to their permissions.

1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted file systems, /dev/mem, and /dev/kmem may not be opened for writing; kernel modules (see kld(4) may not be loaded or unloaded.

2 Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by mount(2)) whether mounted or not. This level precludes tampering with file systems by unmounting them, but also inhibits running newfs(8) while the system is multi-user.

3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and dummynet(4) configuration cannot be adjusted.

If the security level is initially nonzero, then init leaves it unchanged. Otherwise, init raises the level to 1 before going multi-user for the first time. Since the level cannot be reduced, it will be at least 1 for subsequent operation, even on return to single-user. If a level higher than 1 is desired while running multi-user, it can be set before going multi-user, (IE: by the startup script rc(8), or using sysctl(8)) to set the 'kern.securelevel' variable to the required security level.

Setting the security level above 1 too early in the boot sequence can prevent fsck(8) from repairing inconsistent file systems. The preferred location to set the security level is at the end of /etc/rc.conf after all multi-user startup actions are complete.

The securelevel option is intended for a production machine whose configuration is fixed and does not evolve anymore. This one option not only makes it very difficult for the attacker, but if you forget you have it turned on, or someone new takes over administrating the system and doesn't know about this, they will find themselves locked out of the system just like an attacker. You are forewarned.

In /etc/rc.conf as the last statements in the file add these statements:

  1. enable kernel security levels

kern_securelevel_enable=YES # turn on kernel security levels kern_securelevel=3 # turn on max kernel security level

Personal tools