diff options
author | Hugh Graham <hugh@cvs.openbsd.org> | 2000-02-27 04:59:11 +0000 |
---|---|---|
committer | Hugh Graham <hugh@cvs.openbsd.org> | 2000-02-27 04:59:11 +0000 |
commit | 9fe2519271ad3ce28c229527a22d38c75c3e89a4 (patch) | |
tree | 57ca065fe2709c5b23b8a4a778d39cadb977d1b6 | |
parent | 9810dc47d0d68c573fe93e3f09d8cfd2155660c3 (diff) |
document ddb securelevel semantics
-rw-r--r-- | share/man/man7/securelevel.7 | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/share/man/man7/securelevel.7 b/share/man/man7/securelevel.7 index a86bf0abc7d..99436ee2058 100644 --- a/share/man/man7/securelevel.7 +++ b/share/man/man7/securelevel.7 @@ -1,4 +1,4 @@ -.\" $OpenBSD: securelevel.7,v 1.5 2000/02/27 04:29:44 hugh Exp $ +.\" $OpenBSD: securelevel.7,v 1.6 2000/02/27 04:59:10 hugh Exp $ .\" .\" Copyright (c) 2000 Hugh Graham .\" @@ -40,11 +40,11 @@ kernel provides four levels of system security: .Xr init 8 will not attempt to raise the securelevel .It -otherwise identical to securelevel 0 -.It may only be set with .Xr sysctl 8 while the system is insecure +.It +otherwise identical to securelevel 0 .El .It \ 0 Em Insecure mode .Bl -hyphen -compact @@ -87,6 +87,13 @@ may not set the time backwards and .Xr ipnat 8 rules may not be altered +.It +the +.Va ddb.console +and +.Va ddb.panic +.Xr sysctl 8 +variables may not be raised .El .El .Sh DESCRIPTION @@ -115,6 +122,17 @@ by prohibiting the modification of packet filter rules. Preventing the system clock from being set backwards aids in post-mortem analysis and helps ensure the integrity of logs. Precision timekeeping is not affected because the clock may still be slowed. +.Pp +Because securelevel can be modified with the in-kernel debugger +.Xr ddb 4 , +a convenient means of locking it off (if present) is provided +on highly secure systems. This is accomplished by setting +.Va ddb.console +and +.Va ddb.panic +to 0 with the +.Xr sysctl 8 +utility. .Sh FILES .Bl -tag -compact .It Pa /etc/rc.securelevel |