1: **Contents**
2:
3: [[!toc levels=3]]
4:
5: # Introduction
6:
7: Kernel security levels have been introduced back in 4.4 to use file flags as a mechanism to enhance security. Ususally the system is running at a level 1, which can be checked with **sysctl kern.securelevel**, once the level has been set in the bootup process using the securelevel option in **/etc/rc.conf** you cannot lower the level anymore, but you are allowed to raise it to either 1 or 2.
8:
9: The [[basics/sysctl]] variable kern.securelevel is a variable that is usually -1 or 0, and can be raised during normal operation to disallow certain operations in the filesystem to increase security.
10:
11:
12: # Securelevel restrictions
13:
14: secmodel_bsd44(9) defeines the following restrictions:
15:
16: ## -1 Permanently insecure mode
17:
18: * Don't raise the securelevel on boot
19:
20: ## 0 Insecure mode
21:
22: * The init process (PID 1) may not be traced or accessed by ptrace(2), systrace(4), or procfs.
23: * Immutable and append-only file flags may be changed
24: * All devices may be read or written subject to their permissions
25:
26: _Note: You can`t run X11 above this securelevel_
27:
28: _Try [sysutils/aperture](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/pkgsrc/sysutils/aperture/) if you really need it._
29:
30:
31: ## 1 Secure mode
32:
33: * All effects of securelevel 0
34: * /dev/mem and /dev/kmem may not be written to
35: * Raw disk devices of mounted file systems are read-only
36: * Immutable and append-only file flags may not be removed
37: * Kernel modules may not be loaded or unloaded
38: * The net.inet.ip.sourceroute sysctl(8) variable may not be changed
39: * Adding or removing sysctl(9) nodes is denied
40: * The RTC offset may not be changed
41: * Set-id coredump settings may not be altered
42: * Attaching the IP-based kernel debugger, ipkdb(4), is not allowed
43: * Device ``pass-thru_ requests that may be used to perform raw disk and/or memory access are denied_
44: * iopl and ioperm calls are denied
45: * Access to unmanaged memory is denied
46:
47: ## 2 Highly secure mode
48:
49: * All effects of securelevel 1
50: * Raw disk devices are always read-only whether mounted or not
51: * New disks may not be mounted, and existing mounts may only be downgraded from read-write to read-only
52: * The system clock may not be set backwards or close to overflow
53: * Per-process coredump name may not be changed
54: * Packet filtering and NAT rules may not be altered
55:
56: # Examining and changing securelevel
57:
58: As a user, you can see the current value of securelevel:
59:
60: $ sysctl kern.securelevel
61: kern.securelevel = -1
62:
63:
64: But of course, you cannot change it:
65:
66: $ sysctl -w kern.securelevel=0
67: sysctl: kern.securelevel: sysctl() failed with Operation not permitted
68:
69:
70: You need to be root to do that:
71:
72: # sysctl -w kern.securelevel=1
73: kern.securelevel: -1 -> 1
74:
75:
76: Once it is set, its value can never be set to a lower value again:
77:
78: # sysctl -w kern.securelevel=-1
79: sysctl: kern.securelevel: sysctl() failed with Operation not permitted
80:
81:
82: ... except by the kernel debugger, which you can enter at the console. On i386, press <Alt>+<Ctrl>+<ESC>:
83:
84: db> w/l securelevel (-1)
85: netbsd:securelevel 0x1 -> 0xffffffff
86: db> c
87:
88:
89: # Setting securelevel permanently
90:
91: The securelevel can be set after booting the system by setting the securelevel shell variable in /etc/rc.conf (see [[manpage]]).
92:
93:
94: # See also
95:
96: * <http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/security.html#SECURELEVEL>
97:
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb
![[BACK]](/icons/back.gif){kind=icon}
Return to kernel_secure_levels.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc