diff options
author | Hugh Graham <hugh@cvs.openbsd.org> | 2000-01-10 07:18:51 +0000 |
---|---|---|
committer | Hugh Graham <hugh@cvs.openbsd.org> | 2000-01-10 07:18:51 +0000 |
commit | 9908c36607a2b64061f9123f01c96feb4bf4b23f (patch) | |
tree | e5a46e31d6d2ed3a885bda5b6d668c0b5cde56a0 | |
parent | 6cab92913b6dd4b4a1ce48d7f19a5aeaf4cad228 (diff) |
nits & style
-rw-r--r-- | share/man/man7/securelevel.7 | 61 |
1 files changed, 37 insertions, 24 deletions
diff --git a/share/man/man7/securelevel.7 b/share/man/man7/securelevel.7 index 7b1f1fbcc5a..cbfe699dcda 100644 --- a/share/man/man7/securelevel.7 +++ b/share/man/man7/securelevel.7 @@ -1,4 +1,4 @@ -.\" $OpenBSD: securelevel.7,v 1.1 2000/01/08 01:55:33 hugh Exp $ +.\" $OpenBSD: securelevel.7,v 1.2 2000/01/10 07:18:50 hugh Exp $ .\" .\" Copyright (c) 2000 Hugh Graham .\" @@ -34,21 +34,32 @@ The .Ox kernel provides four levels of system security: .Bl -tag -width flag -.It -1 Em "Permanently insecure mode" . +.It -1 Em Permanently insecure mode +.Bl -hyphen -compact +.It .Xr init 8 -will not attempt to raise the securelevel. May be set via +will not attempt to raise the securelevel +.It +otherwise identical to securelevel 0 +.It +may only be set with .Xr sysctl 8 -while the system is insecure, or by building a kernel with -.Dq option INSECURE -in the config file. -.It 0 Em "Insecure mode" . -Used during bootstrapping and while the system is single user. -System file flags may be cleared, and all devices may be read or -written subject to their permissions. -.It 1 Em "Secure mode" . -Default mode when system is multiuser: +while the system is insecure +.El +.It \ 0 Em Insecure mode +.Bl -hyphen -compact +.It +used during bootstrapping and while the system is single-user +.It +all devices may be read or written subject to their permissions +.It +system file flags may be cleared +.El +.It \ 1 Em Secure mode .Bl -hyphen -compact .It +default mode when system is multi-user +.It securelevel may no longer be lowered except by init .It system immutable and append-only file flags may not be removed @@ -60,11 +71,12 @@ may not be written to .It kernel modules may not be loaded or unloaded .El -.It 2 Em "Highly secure mode" . -All effects of securelevel 1, plus: +.It \ 2 Em Highly secure mode .Bl -hyphen -compact .It -disk devices are always read-only whether mounted or not +all effects of securelevel 1 +.It +raw disk devices are always read-only whether mounted or not .It .Xr settimeofday 2 may not set the time backwards @@ -72,11 +84,11 @@ may not set the time backwards .Xr ipf 8 and .Xr ipnat 8 -rulesets may not be changed +rules may not be altered .El .El .Sh DESCRIPTION -Securelevel provides controlled means of +Securelevel provides convenient means of .Dq locking down a system to a degree suited to its environment. It is normally set at boot via the @@ -86,19 +98,20 @@ script, or the superuser may raise securelevel at any time by modifying the .Xr sysctl 8 variable. However, only .Xr init 8 -may lower it once the system has entered secure mode. +may lower it once the system has entered secure mode. A kernel built with +.Dq option INSECURE +in the config file will default to permanently insecure mode. .Pp -.Em Highly secure mode -may seem Draconian, but is intended as a last line of defence should the -superuser account be compromised. Its effects preclude circumvention of -file flags by direct modification of a raw disk device, or erasure of a -filesystem by means of +Highly secure mode may seem Draconian, but is intended as a last line of +defence should the superuser account be compromised. Its effects preclude +circumvention of file flags by direct modification of a raw disk device, +or erasure of a filesystem by means of .Xr newfs 8 . Further, it can limit the potential damage of a compromised .Dq firewall by prohibiting the modification of packet filter rules. Preventing the system clock from being set backwards aids in post-mortem analysis -and helps ensure the intergrity of logs. Precision timekeeping is not +and helps ensure the integrity of logs. Precision timekeeping is not affected because the clock may still be slowed. .Sh FILES .Bl -tag -compact |