Determine the system's security level

Author: KevinDKinsey

Reviewer: Sean Swayze swayze@pcsage.biz FreeBSD/OpenBSD

Reviewer: name contact BSD flavour


Concept

BSD systems provide security (((security))) profiles known as securelevels(((securelevel))).

  • Be able to recognize the restrictions set by each securelevel for each BSD operating system.
  • Understand under what circumstances a securelevel can be raised or lowered.

(((security levels)))

Introduction

The BSD kernels can limit -- even from the superuser (((superuser))) -- a great number of common operations in order to make a system extremely secure. A system secured in this way is said to be running in a high securelevel.

The five kernel securelevels are given in the init(8) manpage:

TODO: check each BSD

TODO: maybe put descriptor as bold here:

  • -1 Permanently insecure mode - always run the system in level 0 mode. This is the default initial value.

  • 0 Insecure mode - immutable and append-only flags may be turned off. All devices may be read or written subject to their permissions.

  • 1 Secure mode - the system immutable and system append-only flags (((file flags))) may not be turned off; disks for mounted file systems, /dev/mem, /dev/kmem and /dev/io (if your platform has it) may not be opened for writing; kernel modules (see kld(4)) may not be loaded or unloaded.

  • 2 Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by mount(2)) whether mounted or not. This level precludes tampering with file systems by unmounting them, but also inhibits running newfs(8) while the system is multi-user(((multi-user))). In addition, kernel time changes are restricted to less than or equal to one second. Attempts to change the time by more than this amount will log the message ``Time adjustment clamped to +1 second''.

  • 3 Network secure mode - same as highly secure mode, plus IP packet filter (((packet filter))) rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be changed and dummynet(4) or pf(4) configuration cannot be adjusted.

The securelevel is set when init (((init))) brings the system up to multi-user mode, and can also be viewed and adjusted "on the fly" via the kern.securelevel sysctl. Note that the securelevel can only be adjusted by the super-user, and can only be adjusted upward, that is, to a more secure level. No one can downgrade a system's securelevel while the system is running (it can be set to change at the next reboot, see below for details).

In addition, on NetBSD the verified exec in-kernel fingerprint table can't be modified.

Examples

You can look at current secure level via sysctl(((sysctl))):

""# sysctl kern.securelevel ""kern.securelevel: -1

Adding the following lines to rc.conf will cause the system to set a securelevel of 2 on the next boot:

""kern_securelevel_enable="YES" ""kern_securelevel="2"

Note that setting securelevel to 0 will result in the system booting with securelevel set to 1, as init(8) will raise the level when rc(8) completes.

Practice Exercises

More information

File flags are covered in View and modify file flags.

init(8), sysctl(8), rc.conf(5)