freebsd-dev/usr.sbin/sysinstall/help/securelevel.hlp

This menu allows you to configure the Securelevel mechanism in FreeBSD.

Securelevels may be used to limit the privileges assigned to the
root user in multi-user mode, which in turn may limit the effects of
a root compromise, at the cost of reducing administrative functions.
Refer to the init(8) manual page for complete details.

   -1    Permanently insecure mode - always run the system in level 0 mode.
         This is the default initial value.

   0     Insecure mode - immutable and append-only flags may be turned off.
         All devices may be read or written subject to their permissions.

   1     Secure mode - the system immutable and system append-only flags may
         not be turned off; disks for mounted file systems, /dev/mem, and
         /dev/kmem may not be opened for writing; kernel modules (see
         kld(4)) may not be loaded or unloaded.

   2     Highly secure mode - same as secure mode, plus disks may not be
         opened for writing (except by mount(2)) whether mounted or not.
         This level precludes tampering with file systems by unmounting
         them, but also inhibits running newfs(8) while the system is multi-
         user.

         In addition, kernel time changes are restricted to less than or
         equal to one second.  Attempts to change the time by more than this
         will log the message ``Time adjustment clamped to +1 second''.

   3     Network secure mode - same as highly secure mode, plus IP packet
         filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
         dummynet(4) configuration cannot be adjusted.

Securelevels must be used in combination with careful system design and
application of protective mechanisms to prevent system configuration
files from being modified in a way that compromises the protections of
the securelevel variable upon reboot.
Add a Securelevel sub-menu to the Security configuration menu, permitting the administrator to select a securelevel top operate at. Include a helpfile summarizing some of the information from init(8). This allows for explicit configuration of securelevels, which was previously implicit in Security Profile selection. Currently, there are no checkboxes for the active securelevel, because sysinstall's facilities for deriving "current settings" from rc.conf may use only one variable, not two, and I opted for the simplest approach at this point. Approved by: re (scottl) 2003-11-29 21:44:51 +00:00			`This menu allows you to configure the Securelevel mechanism in FreeBSD.`

			`Securelevels may be used to limit the privileges assigned to the`
			`root user in multi-user mode, which in turn may limit the effects of`
			`a root compromise, at the cost of reducing administrative functions.`
			`Refer to the init(8) manual page for complete details.`

			`-1 Permanently insecure mode - always run the system in level 0 mode.`
			`This is the default initial value.`

			`0 Insecure mode - immutable and append-only flags may be turned off.`
			`All devices may be read or written subject to their permissions.`

			`1 Secure mode - the system immutable and system append-only flags may`
			`not be turned off; disks for mounted file systems, /dev/mem, and`
			`/dev/kmem may not be opened for writing; kernel modules (see`
			`kld(4)) may not be loaded or unloaded.`

			`2 Highly secure mode - same as secure mode, plus disks may not be`
			`opened for writing (except by mount(2)) whether mounted or not.`
			`This level precludes tampering with file systems by unmounting`
			`them, but also inhibits running newfs(8) while the system is multi-`
			`user.`

			`In addition, kernel time changes are restricted to less than or`
			`equal to one second. Attempts to change the time by more than this`
			will log the message ``Time adjustment clamped to +1 second''.

			`3 Network secure mode - same as highly secure mode, plus IP packet`
			`filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and`
			`dummynet(4) configuration cannot be adjusted.`

			`Securelevels must be used in combination with careful system design and`
			`application of protective mechanisms to prevent system configuration`
			`files from being modified in a way that compromises the protections of`
			`the securelevel variable upon reboot.`