summaryrefslogtreecommitdiff
path: root/share/man/man7/securelevel.7
blob: b935ebb55a6334ad8f8296271e578d66197e7679 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
.\"     $OpenBSD: securelevel.7,v 1.22 2009/05/09 13:45:28 sthen Exp $
.\"
.\" Copyright (c) 2000 Hugh Graham
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: May 9 2009 $
.Dt SECURELEVEL 7
.Os
.Sh NAME
.Nm securelevel
.Nd securelevel and its effects
.Sh DESCRIPTION
The
.Ox
kernel provides four levels of system security:
.Bl -tag -width flag
.It \&-1 Em Permanently insecure mode
.Bl -hyphen -compact
.It
.Xr init 8
will not attempt to raise the securelevel
.It
may only be set with
.Xr sysctl 8
while the system is insecure
.It
otherwise identical to securelevel 0
.El
.It \ 0 Em Insecure mode
.Bl -hyphen -compact
.It
used during bootstrapping and while the system is single-user
.It
all devices may be read or written subject to their permissions
.It
system file flags may be cleared with
.Xr chflags 2
.El
.It \ 1 Em Secure mode
.Bl -hyphen -compact
.It
default mode when system is multi-user
.It
securelevel may no longer be lowered except by init
.It
.Pa /dev/mem
and
.Pa /dev/kmem
may not be written to
.It
raw disk devices of mounted file systems are read-only
.It
system immutable and append-only file flags may not be removed
.It
kernel modules may not be loaded or unloaded
.It
the
.Va fs.posix.setuid
.Xr sysctl 8
variable may not be changed
.It
the
.Va net.inet.ip.sourceroute
.Xr sysctl 8
variable may not be changed
.It
the
.Va machdep.kbdreset
.Xr sysctl 8
variable may not be changed
.It
the
.Va ddb.console
and
.Va ddb.panic
.Xr sysctl 8
variables may not be raised
.It
the
.Va machdep.allowaperture
.Xr sysctl 8
variable may not be raised
.It
.Xr gpioctl 8
may only access GPIO pins configured at system startup
.El
.It \ 2 Em Highly secure mode
.Bl -hyphen -compact
.It
all effects of securelevel 1
.It
raw disk devices are always read-only whether mounted or not
.It
.Xr settimeofday 2
and
.Xr clock_settime 2
may not set the time backwards or close to overflow
.It
.Xr pf 4
filter and NAT rules may not be altered
.El
.El
.Pp
Securelevel provides convenient means of
.Dq locking down
a system to a degree suited to its environment.
It is normally set at boot via the
.Xr rc.securelevel 8
script, or the superuser may raise securelevel at any time by modifying the
.Va kern.securelevel
.Xr sysctl 8
variable.
However, only
.Xr init 8
may lower it once the system has entered secure mode.
A kernel built with
.Cm option INSECURE
in the config file will default to permanently insecure mode.
.Pp
Highly secure mode may seem Draconian, but is intended as a last line of
defence should the superuser account be compromised.
Its effects preclude
circumvention of file flags by direct modification of a raw disk device,
or erasure of a file system by means of
.Xr newfs 8 .
Further, it can limit the potential damage of a compromised
.Dq firewall
by prohibiting the modification of packet filter rules.
Preventing
the system clock from being set backwards aids in post-mortem analysis
and helps ensure the integrity of logs.
Precision timekeeping is not
affected because the clock may still be slowed.
.Pp
Because securelevel can be modified with the in-kernel debugger
.Xr ddb 4 ,
a convenient means of locking it off (if present) is provided
at securelevels 1 and 2.
This is accomplished by setting
.Va ddb.console
and
.Va ddb.panic
to 0 with the
.Xr sysctl 8
utility.
.Sh FILES
.Bl -tag -width /etc/rc.securelevel -compact
.It Pa /etc/rc.securelevel
commands that run before the security level changes
.El
.Sh SEE ALSO
.Xr options 4 ,
.Xr init 8 ,
.Xr rc 8 ,
.Xr sysctl 8
.Sh HISTORY
The
.Nm
manual page first appeared in
.Ox 2.6 .
.Sh BUGS
The list of securelevel's effects may not be comprehensive.