Attachment #55811 for bug #84266




.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: Exp $
.\"
.Dd September 18, 1999
.Dt SECURITY 7

.Xr bpf 4
device or other sniffing device on a running kernel.
To avoid these problems you have to run
the kernel at a higher secure level, at least secure level 1.
The secure level can be set with a
.Xr sysctl 8
on the
.Va kern.securelevel
variable.
Once you have
set the secure level to 1, write access to raw devices will be denied and
special
.Xr chflags 1
flags, such as

that the
.Cm schg
flag is set on critical startup binaries, directories, and
script files \(em everything that gets run up to the point where the secure level
is set.
This might be overdoing it, and upgrading the system is much more
difficult when you operate at a higher secure level.

It should be noted that being too draconian in
what you attempt to protect may prevent the all-important detection of an
intrusion.
.Pp
The kernel runs with five different levels of security.
Any super-user process can raise the security level, but no process
can lower it.
The security levels are:
.Bl -tag -width flag
.It Ic -1
Permanently insecure mode \- always run the system in level 0 mode.
This is the default initial value.
.It Ic 0
Insecure mode \- immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
.It Ic 1
Secure mode \- the system immutable and system append-only flags may not
be turned off;
disks for mounted file systems,
.Pa /dev/mem ,
.Pa /dev/kmem
and
.Pa /dev/io
(if your platform has it) may not be opened for writing;
kernel modules (see
.Xr kld 4 )
may not be loaded or unloaded.
.It Ic 2
Highly secure mode \- same as secure mode, plus disks may not be
opened for writing (except by
.Xr mount 2 )
whether mounted or not.
This level precludes tampering with file systems by unmounting them,
but also inhibits running
.Xr newfs 8
while the system is multi-user.
.Pp
In addition, kernel time changes are restricted to less than or equal to one
second.
Attempts to change the time by more than this will log the message
.Dq Time adjustment clamped to +1 second .
.It Ic 3
Network secure mode \- same as highly secure mode, plus
IP packet filter rules (see
.Xr ipfw 8 ,
.Xr ipfirewall 4
and
.Xr pfctl 8 )
cannot be changed and
.Xr dummynet 4
or
.Xr pf 4
configuration cannot be adjusted.
.El
.Pp
The secure level is discussed further in
.Xr init 8
and can be configured with variables documented in
.Xr rc.conf 8 .
.Sh CHECKING FILE INTEGRITY: BINARIES, CONFIG FILES, ETC
When it comes right down to it, you can only protect your core system
configuration and control files so much before the convenience factor

Return to bug 84266

Lines 21-27 Link Here

(-)/pr/work/security.7 (-5 / +61 lines)
21	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF	21	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
22	.\" SUCH DAMAGE.	22	.\" SUCH DAMAGE.
23	.\"	23	.\"
24	.\" $FreeBSD: src/share/man/man7/security.7,v 1.39 2004/08/07 04:40:20 imp Exp $	24	.\" $FreeBSD: Exp $
25	.\"	25	.\"
26	.Dd September 18, 1999	26	.Dd September 18, 1999
27	.Dt SECURITY 7	27	.Dt SECURITY 7
Lines 498-511 Link Here
498	.Xr bpf 4	498	.Xr bpf 4
499	device or other sniffing device on a running kernel.	499	device or other sniffing device on a running kernel.
500	To avoid these problems you have to run	500	To avoid these problems you have to run
501	the kernel at a higher secure level, at least securelevel 1.	501	the kernel at a higher secure level, at least secure level 1.
502	The securelevel can be set with a	502	The secure level can be set with a
503	.Xr sysctl 8	503	.Xr sysctl 8
504	on the	504	on the
505	.Va kern.securelevel	505	.Va kern.securelevel
506	variable.	506	variable.
507	Once you have	507	Once you have
508	set the securelevel to 1, write access to raw devices will be denied and	508	set the secure level to 1, write access to raw devices will be denied and
509	special	509	special
510	.Xr chflags 1	510	.Xr chflags 1
511	flags, such as	511	flags, such as
Lines 515-521 Link Here
515	that the	515	that the
516	.Cm schg	516	.Cm schg
517	flag is set on critical startup binaries, directories, and	517	flag is set on critical startup binaries, directories, and
518	script files \(em everything that gets run up to the point where the securelevel	518	script files \(em everything that gets run up to the point where the secure level
519	is set.	519	is set.
520	This might be overdoing it, and upgrading the system is much more	520	This might be overdoing it, and upgrading the system is much more
521	difficult when you operate at a higher secure level.	521	difficult when you operate at a higher secure level.
Lines 533-538 Link Here
533	It should be noted that being too draconian in	533	It should be noted that being too draconian in
534	what you attempt to protect may prevent the all-important detection of an	534	what you attempt to protect may prevent the all-important detection of an
535	intrusion.	535	intrusion.
		536	.Pp
		537	The kernel runs with five different levels of security.
		538	Any super-user process can raise the security level, but no process
		539	can lower it.
		540	The security levels are:
		541	.Bl -tag -width flag
		542	.It Ic -1
		543	Permanently insecure mode \- always run the system in level 0 mode.
		544	This is the default initial value.
		545	.It Ic 0
		546	Insecure mode \- immutable and append-only flags may be turned off.
		547	All devices may be read or written subject to their permissions.
		548	.It Ic 1
		549	Secure mode \- the system immutable and system append-only flags may not
		550	be turned off;
		551	disks for mounted file systems,
		552	.Pa /dev/mem ,
		553	.Pa /dev/kmem
		554	and
		555	.Pa /dev/io
		556	(if your platform has it) may not be opened for writing;
		557	kernel modules (see
		558	.Xr kld 4 )
		559	may not be loaded or unloaded.
		560	.It Ic 2
		561	Highly secure mode \- same as secure mode, plus disks may not be
		562	opened for writing (except by
		563	.Xr mount 2 )
		564	whether mounted or not.
		565	This level precludes tampering with file systems by unmounting them,
		566	but also inhibits running
		567	.Xr newfs 8
		568	while the system is multi-user.
		569	.Pp
		570	In addition, kernel time changes are restricted to less than or equal to one
		571	second.
		572	Attempts to change the time by more than this will log the message
		573	.Dq Time adjustment clamped to +1 second .
		574	.It Ic 3
		575	Network secure mode \- same as highly secure mode, plus
		576	IP packet filter rules (see
		577	.Xr ipfw 8 ,
		578	.Xr ipfirewall 4
		579	and
		580	.Xr pfctl 8 )
		581	cannot be changed and
		582	.Xr dummynet 4
		583	or
		584	.Xr pf 4
		585	configuration cannot be adjusted.
		586	.El
		587	.Pp
		588	The secure level is discussed further in
		589	.Xr init 8
		590	and can be configured with variables documented in
		591	.Xr rc.conf 8 .
536	.Sh CHECKING FILE INTEGRITY: BINARIES, CONFIG FILES, ETC	592	.Sh CHECKING FILE INTEGRITY: BINARIES, CONFIG FILES, ETC
537	When it comes right down to it, you can only protect your core system	593	When it comes right down to it, you can only protect your core system
538	configuration and control files so much before the convenience factor	594	configuration and control files so much before the convenience factor