From nobody Tue Oct 24 10:19:04 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SF7MM5P1Xz4xr2V
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue, 24 Oct 2023 10:19:11 +0000 (UTC)
	(envelope-from void@f-m.fm)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SF7ML5yqNz4CYw
	for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 10:19:10 +0000 (UTC)
	(envelope-from void@f-m.fm)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=f-m.fm header.s=fm3 header.b=X2x7RNOz;
	dkim=pass header.d=messagingengine.com header.s=fm3 header.b=A+8Oq0aE;
	spf=pass (mx1.freebsd.org: domain of void@f-m.fm designates 66.111.4.26 as permitted sender) smtp.mailfrom=void@f-m.fm;
	dmarc=pass (policy=none) header.from=f-m.fm
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
	by mailout.nyi.internal (Postfix) with ESMTP id 3B5765C02D0
	for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 06:19:10 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
  by compute1.internal (MEProxy); Tue, 24 Oct 2023 06:19:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f-m.fm; h=cc
	:content-type:content-type:date:date:from:from:in-reply-to
	:message-id:mime-version:reply-to:sender:subject:subject:to:to;
	 s=fm3; t=1698142750; x=1698229150; bh=lQDLxxCuerqpfWgPYMJpTMTFy
	DU5xbzElch2nU6gx9g=; b=X2x7RNOzKxXhOEMfsglJVGxctPpd1Yrhs6UAs7AK7
	RzuPaX2avE/pEXoHTHog6zHBPtEfrHbXUH9gggMmTwEt+15bLTOPyd0ZFTjsu/39
	aZCtLgMkauqro6AOWBzPZ9d58oq9hYIsmheX2npgRUCxvrT2/xkl1rAZkLoYuUpg
	M852FsQjOMSjXOGrRc3qAKBOH3Sh8d2ztLGhaToaR0SJICIZYAClWv1gY5DE6Mgx
	CkMGowSg3TL7SH6ZIvIY71J9jW4bafUvS9C/IdCsfEaXrI6g4RYuqCe185PV95IJ
	GDtQkj0d+JCKbjWwnUmlWIrmKr13M2pyJxtpM1OXfJJSg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:message-id
	:mime-version:reply-to:sender:subject:subject:to:to:x-me-proxy
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=
	1698142750; x=1698229150; bh=lQDLxxCuerqpfWgPYMJpTMTFyDU5xbzElch
	2nU6gx9g=; b=A+8Oq0aEmj/yPqGPXEXcBkRtGg7kGzErQVv5vcPBtuvMeJFvFW5
	rLOGC+W7iQ1EqBvOW0ubqqkRr/m3BnXomnkIyuI8X/Iu0muqZWq73Sggie7mdxJk
	JbKyhSes2gCsCO8vhdjm0RLTv9JSSvibFStEMWJcWO6b1NBz92F3zZYyLKr2DT8K
	z+IvI4OxkaEWq7/eIOUVFIZ2E3hgR0oW+g7p7anxbHET3GGHtwCSMKirs1NQm3o1
	p7TOgX64rbhxjM1QJE0sfFBlHpaMsBruxDruRw4W8Qf4oUqTrN+daALh/e7B0r+2
	oJOt6DadkmEXm1r3UMGPOuvoMDPc2/xepvQ==
X-ME-Sender: <xms:Hpo3ZcVI4M6vpcEYWMWoYXIO11diYeqAqt4EFWy-2_5UMiAG3Fh5fw>
    <xme:Hpo3ZQkWcspges5-OyglY7W5wbJkw4eBQdaqgcsFcL4EeGa2kNxAgtHNiMpcJf1DT
    Q7q0IqyDTjwfHYvzw>
X-ME-Received: <xmr:Hpo3ZQbQC8g-CnmUk2YTQKnQU--vBLNdNGjebK8VlQ2SztFfXYTg45dS12G7RDNXMJioZTmOHyGXADyE2aMVmMxpJQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrkeekgddviecutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
    uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehttdortddttd
    dvnecuhfhrohhmpehvohhiugcuoehvohhiugesfhdqmhdrfhhmqeenucggtffrrghtthgv
    rhhnpeekgeeihfelvdekleejvdefjedvkeelfedtgfdttedtleetuddujeeulefhtefgge
    enucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehvohhi
    ugesfhdqmhdrfhhm
X-ME-Proxy: <xmx:Hpo3ZbViWAjVl3Lz7b4qsBp8JZ2ZJ0c4s53ZOHcbBDCgewixQ3Argw>
    <xmx:Hpo3ZWlpcCcHw4TZpDj16UzxRyUWRAyoMw30InKsboaQq5X-pNDYeQ>
    <xmx:Hpo3ZQfUQ4X3lvDJ9OI8XOhZEXmgb_VI0cY5lBrBBKoPdbZ1Th60Yw>
    <xmx:Hpo3ZQShdSpIVOrcqBSZPTqo_osmVJKXXZXqLfBxGhmRIRoZgAODRA>
Feedback-ID: i2541463c:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 06:19:09 -0400 (EDT)
Date: Tue, 24 Oct 2023 11:19:04 +0100
From: void <void@f-m.fm>
To: freebsd-security@freebsd.org
Subject: securelevel 1
Message-ID: <ZTeaGFZjvcsKfbOW@int21h>
Mail-Followup-To: freebsd-security@freebsd.org
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.69 / 15.00];
	DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.994];
	NEURAL_HAM_LONG(-0.99)[-0.994];
	MID_RHS_NOT_FQDN(0.50)[];
	DMARC_POLICY_ALLOW(-0.50)[f-m.fm,none];
	R_DKIM_ALLOW(-0.20)[f-m.fm:s=fm3,messagingengine.com:s=fm3];
	R_SPF_ALLOW(-0.20)[+ip4:66.111.4.26];
	MIME_GOOD(-0.10)[text/plain];
	RWL_MAILSPIKE_GOOD(-0.10)[66.111.4.26:from];
	RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.26:from];
	FROM_HAS_DN(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	ARC_NA(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	ASN(0.00)[asn:19151, ipnet:66.111.4.0/24, country:US];
	RCVD_COUNT_THREE(0.00)[3];
	TO_DN_NONE(0.00)[];
	FREEMAIL_FROM(0.00)[f-m.fm];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	DKIM_TRACE(0.00)[f-m.fm:+,messagingengine.com:+];
	MIME_TRACE(0.00)[0:+];
	FROM_EQ_ENVFROM(0.00)[];
	FREEMAIL_ENVFROM(0.00)[f-m.fm];
	RCVD_VIA_SMTP_AUTH(0.00)[]
X-Rspamd-Queue-Id: 4SF7ML5yqNz4CYw

Hi,

I'd like to set append-only on an arm64 system running stable/14-n265566
(so securelevel=1) but how would newsyslog(8) handle it? How will it rotate
logs?

-- 

From nobody Tue Oct 24 11:08:37 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SF8Sh4zGbz4xtZn
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue, 24 Oct 2023 11:08:52 +0000 (UTC)
	(envelope-from pawel.biernacki@gmail.com)
Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com [209.85.208.170])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SF8Sh2yRJz4JXD
	for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 11:08:52 +0000 (UTC)
	(envelope-from pawel.biernacki@gmail.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-lj1-f170.google.com with SMTP id 38308e7fff4ca-2c59a4dd14cso283741fa.2
        for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 04:08:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1698145729; x=1698750529;
        h=to:references:message-id:content-transfer-encoding:cc:date
         :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=jJ6qrHWFk9bwgl55U5abo6WxUcKl8JBidC90p0kU5Jo=;
        b=byDo6V0ahwllKQDtAuD1JY8IIOLF/2tUcUR74mJ6B3p3LJjit8wP/b19Zcejb3Hcgv
         N73xANBsWWOxqTbLE7qkquMVDIRzDbZm6TfL6h2ETUx8QZq8JDNqWF0OPbLYtoSuQv9d
         VHmj8QX7zN1mVfiOzyFdc0qr22ZVHiG/NlnnCI3Gc3CupH8c32bZqSi5yqcGQScnTelW
         NFBC0c308gWbqqaHlvualLe7G9+pKdVWhuuSDt8MU04xcIgFYxPPN6fVuw3v4os9TwIi
         /Ib1/D15GF7sKuTaup/ccMsjTHx1+05dLpPMzUOn7r1MQ5FD7H0TyDytBzzjjDPcRVr/
         I00w==
X-Gm-Message-State: AOJu0YwrxSbDaxIOV/EFRBKU+n0+a/IUToy1UhxQB45nwUwHSqu901FH
	5WKa4W1C+sY30VrIZbXQHaE=
X-Google-Smtp-Source: AGHT+IHCJVScDpMa5iKn78OHPWbLheBKnO7HWNg7zxftd8KKHRPc6xOiwvtZZ/ERP9cymfmA48G/pw==
X-Received: by 2002:a2e:8854:0:b0:2b9:e6a0:5c3a with SMTP id z20-20020a2e8854000000b002b9e6a05c3amr9108194ljj.48.1698145729374;
        Tue, 24 Oct 2023 04:08:49 -0700 (PDT)
Received: from smtpclient.apple ([89.234.242.78])
        by smtp.gmail.com with ESMTPSA id x3-20020a2ea983000000b002bcbb464a28sm2008877ljq.59.2023.10.24.04.08.48
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 24 Oct 2023 04:08:48 -0700 (PDT)
Content-Type: text/plain;
	charset=utf-8
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.100.2.1.4\))
Subject: Re: securelevel 1
From: =?utf-8?Q?Pawe=C5=82_Biernacki?= <kaktus@FreeBSD.org>
In-Reply-To: <ZTeaGFZjvcsKfbOW@int21h>
Date: Tue, 24 Oct 2023 13:08:37 +0200
Cc: freebsd-security@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org>
References: <ZTeaGFZjvcsKfbOW@int21h>
To: void <void@f-m.fm>
X-Mailer: Apple Mail (2.3774.100.2.1.4)
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	TAGGED_FROM(0.00)[]
X-Rspamd-Queue-Id: 4SF8Sh2yRJz4JXD

Setting kern.securelevel to 1 makes the kernel to enforce the =
system-level immutable and append-only flags (see chflags(1/2)).
Unless you do something extra, syslogd will create new files without =
these flags and newsyslog will rotate them as expected. =20

Hope that helps,
Pawe=C5=82.


> On 24 Oct 2023, at 12:19, void <void@f-m.fm> wrote:
>=20
> Hi,
>=20
> I'd like to set append-only on an arm64 system running =
stable/14-n265566
> (so securelevel=3D1) but how would newsyslog(8) handle it? How will it =
rotate
> logs?
>=20
> --=20
>=20


From nobody Tue Oct 24 11:31:12 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SF8yg3kkkz4xw6k
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue, 24 Oct 2023 11:31:23 +0000 (UTC)
	(envelope-from SRS0=TlK7=GG=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SF8yf4FJQz4LtM
	for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 11:31:22 +0000 (UTC)
	(envelope-from SRS0=TlK7=GG=quip.cz=000.fbsd@elsa.codelab.cz)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=none (mx1.freebsd.org: domain of "SRS0=TlK7=GG=quip.cz=000.fbsd@elsa.codelab.cz" has no SPF policy when checking 94.124.105.4) smtp.mailfrom="SRS0=TlK7=GG=quip.cz=000.fbsd@elsa.codelab.cz";
	dmarc=none
Received: from elsa.codelab.cz (localhost [127.0.0.1])
	by elsa.codelab.cz (Postfix) with ESMTP id 1BD89D788A;
	Tue, 24 Oct 2023 13:31:14 +0200 (CEST)
Received: from [192.168.145.49] (ip-89-177-27-225.bb.vodafone.cz [89.177.27.225])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by elsa.codelab.cz (Postfix) with ESMTPSA id 6C68AD788C;
	Tue, 24 Oct 2023 13:31:12 +0200 (CEST)
Message-ID: <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>
Date: Tue, 24 Oct 2023 13:31:12 +0200
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: securelevel 1
Content-Language: cs-Cestina
To: void <void@f-m.fm>
Cc: freebsd-security@freebsd.org
References: <ZTeaGFZjvcsKfbOW@int21h>
 <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org>
From: Miroslav Lachman <000.fbsd@quip.cz>
In-Reply-To: <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spamd-Bar: -
X-Spamd-Result: default: False [-1.78 / 15.00];
	AUTH_NA(1.00)[];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.988];
	FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=TlK7=GG=quip.cz=000.fbsd@elsa.codelab.cz];
	MIME_GOOD(-0.10)[text/plain];
	XM_UA_NO_VERSION(0.01)[];
	FREEMAIL_TO(0.00)[f-m.fm];
	FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=TlK7=GG=quip.cz=000.fbsd@elsa.codelab.cz];
	R_SPF_NA(0.00)[no SPF record];
	R_DKIM_NA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ];
	RCVD_TLS_LAST(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	TO_DN_SOME(0.00)[];
	DMARC_NA(0.00)[quip.cz];
	ARC_NA(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCVD_COUNT_TWO(0.00)[2]
X-Rspamd-Queue-Id: 4SF8yf4FJQz4LtM

On 24/10/2023 13:08, Paweł Biernacki wrote:
> Setting kern.securelevel to 1 makes the kernel to enforce the system-level immutable and append-only flags (see chflags(1/2)).
> Unless you do something extra, syslogd will create new files without these flags and newsyslog will rotate them as expected.

In other words - securelevel 1 causes that you cannot remove flags on 
files where append-only or immutable flags are set, securelevel cannot 
be lowered on running system. But on default instalation there are only 
few files protected by flags.
This list is from 13.2 amd64:

root@neon ~/ # find -s -x / -flags +schg,sappnd
/.sujournal
/lib/libc.so.7
/lib/libcrypt.so.5
/lib/libthr.so.3
/libexec/ld-elf.so.1
/libexec/ld-elf32.so.1
/sbin/init
/usr/bin/chpass
/usr/bin/crontab
/usr/bin/login
/usr/bin/opieinfo
/usr/bin/opiepasswd
/usr/bin/passwd
/usr/bin/su
/usr/lib/librt.so.1
/usr/lib32/libc.so.7
/usr/lib32/libcrypt.so.5
/usr/lib32/librt.so.1
/usr/lib32/libthr.so.3
/var/empty

Log files are not protected.

Kind regards
Miroslav Lachman


>> On 24 Oct 2023, at 12:19, void <void@f-m.fm> wrote:
>>
>> Hi,
>>
>> I'd like to set append-only on an arm64 system running stable/14-n265566
>> (so securelevel=1) but how would newsyslog(8) handle it? How will it rotate
>> logs?
>>
>> -- 
>>
> 
> 


From nobody Tue Oct 24 17:33:22 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SFK0n6Qcmz4yHdN
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue, 24 Oct 2023 17:33:45 +0000 (UTC)
	(envelope-from void@f-m.fm)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SFK0m5Txyz3MBp
	for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 17:33:44 +0000 (UTC)
	(envelope-from void@f-m.fm)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=f-m.fm header.s=fm3 header.b=BhUqP16+;
	dkim=pass header.d=messagingengine.com header.s=fm3 header.b=mPdxqpNC;
	spf=pass (mx1.freebsd.org: domain of void@f-m.fm designates 64.147.123.19 as permitted sender) smtp.mailfrom=void@f-m.fm;
	dmarc=pass (policy=none) header.from=f-m.fm
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47])
	by mailout.west.internal (Postfix) with ESMTP id 2EEF03200A8C
	for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 13:33:43 -0400 (EDT)
Received: from imap46 ([10.202.2.96])
  by compute6.internal (MEProxy); Tue, 24 Oct 2023 13:33:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f-m.fm; h=cc
	:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:sender
	:subject:subject:to:to; s=fm3; t=1698168822; x=1698255222; bh=V0
	V9tFxU9xIb+xn5kVNhQ/9UJPOORyOPrv+5vDujaVQ=; b=BhUqP16+7flIdZdM1q
	px6NSfxzRLNGgq9elpw3Z0T/wezASt7JLgvcOs6mEzhhIOClA88wqsoscg9j2/3o
	fbrYDMCrBj8dR0iArYlNAg2t4Tz5PyTFfGz667Kdxjq7RMmH23HeVkm8agkGuDwb
	b0sFbsjrRPJengFgNbyYVaRsvj3+itr1VzsKrTmds3SfgK0JvUXPIkW1tncirzE+
	03OdJoFibfVpv4JvFYTy8l083Aar9C2zQUmPoP7TYJN6dspd2ZyNBYX9OdP+W+0r
	M490hBi+O29SK8uVV37+xTs8Pg6xyn1nrwFsaZkQdVmEP9j+rCEvf585TcuaD9nJ
	g8UQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:sender:subject
	:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm3; t=1698168822; x=1698255222; bh=V0V9tFxU9xIb+
	xn5kVNhQ/9UJPOORyOPrv+5vDujaVQ=; b=mPdxqpNCNXCjLd2nyFY6hFQ8f6q+U
	3R19K0v5kg8Et6Wb4nVUoyLGYY79n8KNx9hcpT2hoy1jX2TYAcntoXJkvJNh6WnO
	YnO7FdnJr8cfQgzCkDZatT7fjOYui6F9oqFg79AOcuRMd3/BKoHpDN+sDERlEqY+
	NLIXZ5+6IVwn1zTbACWwl8VSyrYPNqyFGRmirOtKnIL8K7t3dRnhk3rHbmPwN3YK
	yjUH/B69Fh+MjFB5kNLR9HtEv7Gajm2emZwRCv2KNCoHcXUJVtWqjxuWpVYBfqeQ
	I69WYAnlKIrpLuL98zV1ZTUs9FRhaie0oRC1KSllJ669QtX3XpIpeHs7g==
X-ME-Sender: <xms:9v83ZfBe-J2_txgqNjuIz0bTsL_sMnEQ1lhJtJPPrwQSsSnE-yUILA>
    <xme:9v83ZVgoQlWd_8hd5mghiT5ml4SMTiOZ8V7K1WSSzuE8t3OrsKkdSlrzolafwYDLU
    ZolKkRTc9ju2nMIOw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrkeekgdduudegucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd
    ertderredtnecuhfhrohhmpehvohhiugcuoehvohhiugesfhdqmhdrfhhmqeenucggtffr
    rghtthgvrhhnpeeitedvueehtdehtddvhfeuhfevhedvieelvdeiffehveelheegfedule
    ejudekvdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm
    pehvohhiugesfhdqmhdrfhhm
X-ME-Proxy: <xmx:9v83ZamV6jWIvcroWad7j88aKYsnV794JUtSu7c4G4Owgi20CXSGLQ>
    <xmx:9v83ZRz7BoIuHyj3d3cI1B-VB0Ti7E9hLeC5TC3eESFec0SIroUnpA>
    <xmx:9v83ZUTXp6QUFSTj_shbA1vHowoVm_z-quFlh-76zZHZ9wywbu01Ig>
    <xmx:9v83Zbe3-_RzQaEKS1Z3tiGkml28o7b5GdR-fimEM1bF-MBZ-_YLLw>
Feedback-ID: i2541463c:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 5FDD92A20085; Tue, 24 Oct 2023 13:33:42 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-1048-g9229b632c5-fm-20231019.001-g9229b632
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Message-Id: <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com>
In-Reply-To: <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>
References: <ZTeaGFZjvcsKfbOW@int21h>
 <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org>
 <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>
Date: Tue, 24 Oct 2023 17:33:22 +0000
From: void <void@f-m.fm>
To: freebsd-security@freebsd.org
Subject: Re: securelevel 1
Content-Type: text/plain
X-Spamd-Bar: -----
X-Spamd-Result: default: False [-5.38 / 15.00];
	DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	NEURAL_HAM_LONG(-0.89)[-0.890];
	DMARC_POLICY_ALLOW(-0.50)[f-m.fm,none];
	RWL_MAILSPIKE_EXCELLENT(-0.40)[64.147.123.19:from];
	R_DKIM_ALLOW(-0.20)[f-m.fm:s=fm3,messagingengine.com:s=fm3];
	R_SPF_ALLOW(-0.20)[+ip4:64.147.123.19];
	RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.19:from];
	MIME_GOOD(-0.10)[text/plain];
	XM_UA_NO_VERSION(0.01)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	ARC_NA(0.00)[];
	ASN(0.00)[asn:29838, ipnet:64.147.123.0/24, country:US];
	FREEMAIL_ENVFROM(0.00)[f-m.fm];
	TO_DN_NONE(0.00)[];
	FREEMAIL_FROM(0.00)[f-m.fm];
	RCVD_TLS_LAST(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	FROM_EQ_ENVFROM(0.00)[];
	DKIM_TRACE(0.00)[f-m.fm:+,messagingengine.com:+];
	MIME_TRACE(0.00)[0:+];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]
X-Rspamd-Queue-Id: 4SFK0m5Txyz3MBp

On Tue, 24 Oct 2023, at 11:31, Miroslav Lachman wrote:

> root@neon ~/ # find -s -x / -flags +schg,sappnd
> /.sujournal
> /lib/libc.so.7
> /lib/libcrypt.so.5
> /lib/libthr.so.3
> /libexec/ld-elf.so.1
> /libexec/ld-elf32.so.1
> /sbin/init
> /usr/bin/chpass
> /usr/bin/crontab
> /usr/bin/login
> /usr/bin/opieinfo
> /usr/bin/opiepasswd
> /usr/bin/passwd
> /usr/bin/su
> /usr/lib/librt.so.1
> /usr/lib32/libc.so.7
> /usr/lib32/libcrypt.so.5
> /usr/lib32/librt.so.1
> /usr/lib32/libthr.so.3
> /var/empty
>
> Log files are not protected.

Thanks for explaining.

The reason for setting the securelevel to 1 would be so that the log files can't 
be modified/deleted. So I'm glad you explained that because I didn't twig
the securelevel only disallows changing flags and the log files weren't protected.

In order to accomplish what I'd like, I understand that I'd need to set +schg
on the individual logs, then set the securelevel afterwards and reboot.

But if this is done, it seems there's no way (at least directly) for the log
file to be rotated?

From nobody Tue Oct 24 17:41:15 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SFK9W15wjz4yJ5f
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue, 24 Oct 2023 17:41:19 +0000 (UTC)
	(envelope-from cy.schubert@cschubert.com)
Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "Client", Issuer "CA" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SFK9V6DzRz3NLj
	for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 17:41:18 +0000 (UTC)
	(envelope-from cy.schubert@cschubert.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: from shw-obgw-4002a.ext.cloudfilter.net ([10.228.9.250])
	by cmsmtp with ESMTPS
	id vKt6qJcVJ8jpTvLP4qfCTl; Tue, 24 Oct 2023 17:41:18 +0000
Received: from spqr.komquats.com ([70.66.152.170])
	by cmsmtp with ESMTPSA
	id vLP2qYDjCnCF0vLP3qvyK3; Tue, 24 Oct 2023 17:41:18 +0000
X-Authority-Analysis: v=2.4 cv=MPFzJeVl c=1 sm=1 tr=0 ts=653801be
 a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17
 a=8nJEP1OIZ-IA:10 a=bhdUkHdE2iEA:10 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8
 a=EkcXrb_YAAAA:8 a=bp6069qXgyUV7m1xSUoA:9 a=wPNLvfGTeEIA:10
 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=LK5xJRSDVpKd5WXXoEvA:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
	by spqr.komquats.com (Postfix) with ESMTP id 0DC99355;
	Tue, 24 Oct 2023 10:41:16 -0700 (PDT)
Received: by slippy.cwsent.com (Postfix, from userid 1000)
	id EEC0C1BC; Tue, 24 Oct 2023 10:41:15 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Miroslav Lachman <000.fbsd@quip.cz>
cc: void <void@f-m.fm>, freebsd-security@freebsd.org
Subject: Re: securelevel 1
In-reply-to: <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>
References: <ZTeaGFZjvcsKfbOW@int21h> <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org> <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>
Comments: In-reply-to Miroslav Lachman <000.fbsd@quip.cz>
   message dated "Tue, 24 Oct 2023 13:31:12 +0200."
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Date: Tue, 24 Oct 2023 10:41:15 -0700
Message-Id: <20231024174115.EEC0C1BC@slippy.cwsent.com>
X-CMAE-Envelope: MS4xfCw/dTTXhS3BualycxClOfyd5yz2CGa3N3ZOBORhBx2B2YktTRAtsl7CPKbdLiuxLYmtHProd8Zr5Lsazf5zgjHt0STRokkQU1AyqIPdxX4JAH8VsbqV
 BpR4mfRvMNGPCgQbaJ+x+Ds6Ix9Y7y1D3njdboD+beOAMbJAi8VsH9hJJv6HJn+4t9Bjke/1qfQJLd4f6aVVeS0MljL6Q05QoPo+7RhA5jphiQglZUFoXUnf
 CFMHhGD6Ob02yzoryOUQwvjVTvyh4f2cAhaQCX2FtFs=
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]
X-Rspamd-Queue-Id: 4SFK9V6DzRz3NLj

This is correct.

If you wish to completely secure your filesystems from write you would need 
to add schg and sappend to the appropriate files on the system. This of 
course means that any updates to the system, like installworld and 
installkernel, will require single user state and filing off of the schg 
bits prior to the update. You'd need to create a script to enable schg on 
all relevant files and disable it prior to update.

Back in the day at $JOB-1, when I led the Solaris Team there, the Linux 
team, next to me, were playing with setting the hardware read-only bit in 
the system drive. They also played with booting off custom ISO. Both were 
dropped as updating the servers was impossible without significant effort. 
Back in those days there were no remote consoles or ILOs so trips down the 
elevaytor to the raised floor in the basement was a common thing. I think 
securelevel when done properly would present similar challenges.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0


In message <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>, Miroslav Lachman 
wri
tes:
> On 24/10/2023 13:08, Paweł Biernacki wrote:
> > Setting kern.securelevel to 1 makes the kernel to enforce the system-level 
> immutable and append-only flags (see chflags(1/2)).
> > Unless you do something extra, syslogd will create new files without these 
> flags and newsyslog will rotate them as expected.
>
> In other words - securelevel 1 causes that you cannot remove flags on 
> files where append-only or immutable flags are set, securelevel cannot 
> be lowered on running system. But on default instalation there are only 
> few files protected by flags.
> This list is from 13.2 amd64:
>
> root@neon ~/ # find -s -x / -flags +schg,sappnd
> /.sujournal
> /lib/libc.so.7
> /lib/libcrypt.so.5
> /lib/libthr.so.3
> /libexec/ld-elf.so.1
> /libexec/ld-elf32.so.1
> /sbin/init
> /usr/bin/chpass
> /usr/bin/crontab
> /usr/bin/login
> /usr/bin/opieinfo
> /usr/bin/opiepasswd
> /usr/bin/passwd
> /usr/bin/su
> /usr/lib/librt.so.1
> /usr/lib32/libc.so.7
> /usr/lib32/libcrypt.so.5
> /usr/lib32/librt.so.1
> /usr/lib32/libthr.so.3
> /var/empty
>
> Log files are not protected.
>
> Kind regards
> Miroslav Lachman
>
>
> >> On 24 Oct 2023, at 12:19, void <void@f-m.fm> wrote:
> >>
> >> Hi,
> >>
> >> I'd like to set append-only on an arm64 system running stable/14-n265566
> >> (so securelevel=1) but how would newsyslog(8) handle it? How will it rotat
> e
> >> logs?
> >>
> >> -- 
> >>
> > 
> > 
>
>



From nobody Tue Oct 24 17:45:40 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SFKGZ72Hbz4yJYx
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue, 24 Oct 2023 17:45:42 +0000 (UTC)
	(envelope-from cy.schubert@cschubert.com)
Received: from omta002.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "Client", Issuer "CA" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SFKGZ4cFrz3PsP
	for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 17:45:42 +0000 (UTC)
	(envelope-from cy.schubert@cschubert.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142])
	by cmsmtp with ESMTPS
	id vKwsqjEBvB0n0vLTKqiptu; Tue, 24 Oct 2023 17:45:42 +0000
Received: from spqr.komquats.com ([70.66.152.170])
	by cmsmtp with ESMTPSA
	id vLTIqyWBogVhvvLTJqnFqf; Tue, 24 Oct 2023 17:45:41 +0000
X-Authority-Analysis: v=2.4 cv=TPtW9npa c=1 sm=1 tr=0 ts=653802c5
 a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17
 a=kj9zAlcOel0A:10 a=bhdUkHdE2iEA:10 a=ZLGELXoPAAAA:8 a=YxBL1-UpAAAA:8
 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=1W4s-hDeFvQHHv5ihzwA:9 a=CjuIK1q_8ugA:10
 a=CFiPc5v16LZhaT-MVE1c:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22
 a=LK5xJRSDVpKd5WXXoEvA:22
Received: from slippy.cwsent.com (slippy [10.1.1.91])
	by spqr.komquats.com (Postfix) with ESMTP id 3FD782FC;
	Tue, 24 Oct 2023 10:45:40 -0700 (PDT)
Received: by slippy.cwsent.com (Postfix, from userid 1000)
	id 1936912D; Tue, 24 Oct 2023 10:45:40 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev
Reply-to: Cy Schubert <Cy.Schubert@cschubert.com>
From: Cy Schubert <Cy.Schubert@cschubert.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: void <void@f-m.fm>
cc: freebsd-security@freebsd.org
Subject: Re: securelevel 1
In-reply-to: <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com>
References: <ZTeaGFZjvcsKfbOW@int21h> <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org> <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz> <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com>
Comments: In-reply-to void <void@f-m.fm>
   message dated "Tue, 24 Oct 2023 17:33:22 -0000."
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 24 Oct 2023 10:45:40 -0700
Message-Id: <20231024174540.1936912D@slippy.cwsent.com>
X-CMAE-Envelope: MS4xfC2LRHJ3u+mOpVn8wtYbEbhTPXQ9yGQtLWG+FOQQaMiy2TROePHLJcYdvTjk8gNjRawllBbN3YxjzlhZ+U+BC2dnQTXE8hOUhRepZPHt9MymiJ96hWYW
 mpZlE397wVm53+/lZ/qwtt9DLcOdG0hA/DqaEOoMe1umC0wx8BJoJxOtxbMNGwrMBZQZ4hfPA2QAS3CG1QxxcPWN3mgXyqeEIhHLBuQgDjIyr6CoTPgrkLlX
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]
X-Rspamd-Queue-Id: 4SFKGZ4cFrz3PsP

In message <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com>, void 
writes
:
> On Tue, 24 Oct 2023, at 11:31, Miroslav Lachman wrote:
>
> > root@neon ~/ # find -s -x / -flags +schg,sappnd
> > /.sujournal
> > /lib/libc.so.7
> > /lib/libcrypt.so.5
> > /lib/libthr.so.3
> > /libexec/ld-elf.so.1
> > /libexec/ld-elf32.so.1
> > /sbin/init
> > /usr/bin/chpass
> > /usr/bin/crontab
> > /usr/bin/login
> > /usr/bin/opieinfo
> > /usr/bin/opiepasswd
> > /usr/bin/passwd
> > /usr/bin/su
> > /usr/lib/librt.so.1
> > /usr/lib32/libc.so.7
> > /usr/lib32/libcrypt.so.5
> > /usr/lib32/librt.so.1
> > /usr/lib32/libthr.so.3
> > /var/empty
> >
> > Log files are not protected.
>
> Thanks for explaining.
>
> The reason for setting the securelevel to 1 would be so that the log files ca
> n't 
> be modified/deleted. So I'm glad you explained that because I didn't twig
> the securelevel only disallows changing flags and the log files weren't prote
> cted.
>
> In order to accomplish what I'd like, I understand that I'd need to set +schg
> on the individual logs, then set the securelevel afterwards and reboot.
>
> But if this is done, it seems there's no way (at least directly) for the log
> file to be rotated?
>

What a lot of large enterprises do is send logs off machine. A *.* log to 
@IP or an agent does the same thing. The remote logging server also has 
software to allow one to search the logs for a machine or multiple machines 
allowing one to correlate messages across the network.

For server admins logging into each server individually, correlating logs 
can be time consuming and a little challenging as one must keep a lot of 
information in mind when working with multiple machines. But with logs sent 
to a single server a person can use software designed to correlate logs.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0



From nobody Tue Oct 24 18:05:57 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SFKlv15mbz4yKZr
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue, 24 Oct 2023 18:07:39 +0000 (UTC)
	(envelope-from security@lordcow.org)
Received: from mail.lordcow.org (lordcow.org [IPv6:2c0f:fb18:402:5::2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature ECDSA (P-256) client-digest SHA256)
	(Client CN "devaux.za.net", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SFKlt3DQkz3TVk
	for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 18:07:38 +0000 (UTC)
	(envelope-from security@lordcow.org)
Authentication-Results: mx1.freebsd.org;
	none
Received: from lordcow.org (localhost [127.0.0.1])
	by mail.lordcow.org (8.17.2/8.17.2) with ESMTPS id 39OI63AJ000578
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT);
	Tue, 24 Oct 2023 20:06:18 +0200 (SAST)
	(envelope-from lordcow@lordcow.org)
X-Authentication-Warning: lordcow.org: Host localhost [127.0.0.1] claimed to be lordcow.org
Received: (from lordcow@localhost)
	by lordcow.org (8.17.2/8.17.2/Submit) id 39OI5wYD099343;
	Tue, 24 Oct 2023 20:05:58 +0200 (SAST)
	(envelope-from lordcow)
Date: Tue, 24 Oct 2023 20:05:57 +0200
From: Gareth de Vaux <security@lordcow.org>
To: void <void@f-m.fm>
Cc: freebsd-security@freebsd.org
Subject: Re: securelevel 1
Message-ID: <ZTgHhRybLnDdhVst@lordcow.org>
References: <ZTeaGFZjvcsKfbOW@int21h>
 <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org>
 <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>
 <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com>
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com>
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=ham
	autolearn_force=no version=4.0.0
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on lordcow.org
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:37199, ipnet:2c0f:fb18::/32, country:ZA]
X-Rspamd-Queue-Id: 4SFKlt3DQkz3TVk

On Tue 2023-10-24 (17:33), void wrote:
> In order to accomplish what I'd like, I understand that I'd need to set +schg
> on the individual logs, then set the securelevel afterwards and reboot.

You don't need to reboot when raising the securelevel, only to lower it.

From nobody Tue Oct 24 19:59:46 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SFNFl0yR5z4xRwT
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue, 24 Oct 2023 20:00:11 +0000 (UTC)
	(envelope-from void@f-m.fm)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SFNFk1N5mz4V74
	for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 20:00:10 +0000 (UTC)
	(envelope-from void@f-m.fm)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=f-m.fm header.s=fm3 header.b=iOraFFV0;
	dkim=pass header.d=messagingengine.com header.s=fm3 header.b=m5jSPI02;
	spf=pass (mx1.freebsd.org: domain of void@f-m.fm designates 64.147.123.24 as permitted sender) smtp.mailfrom=void@f-m.fm;
	dmarc=pass (policy=none) header.from=f-m.fm
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47])
	by mailout.west.internal (Postfix) with ESMTP id 30B753200A96
	for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 16:00:08 -0400 (EDT)
Received: from imap46 ([10.202.2.96])
  by compute6.internal (MEProxy); Tue, 24 Oct 2023 16:00:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f-m.fm; h=cc
	:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:sender
	:subject:subject:to:to; s=fm3; t=1698177607; x=1698264007; bh=Ki
	4KiYOgynZJkIohftQpIcAZdeMPGKK+rWlNPaBWxTE=; b=iOraFFV0J1k3/TKZUi
	aJI/+MC2MgHfx3Q4MqcrapFlppselz21anq76muRV2+3UP/14pr+zgxSMvuqKJkb
	uPK5zJOIlPIGCKKUbjOy5SDCwiN9oh28bc/oRNb/M00I+5G3bT0yF6adDnXipsmf
	4NacljJlbgiMTbhZcIH1zOQJSNQWB0mBWsCXUz7myBR5GyWQdsNaQ0X2BHMwtYeo
	DRQ58y85a5Xjdh2uquJYf1V8uo3LB8/U0JNgoNO+Zxg41sWC8GHk6YaBuaC3QeGW
	9rwkP5ZnCstN2xpJYT7Fw2eaz9GR5h0Outmxe97aDfSp8rLQquN5NYsBrlYDTIOz
	oqIA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:sender:subject
	:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm3; t=1698177607; x=1698264007; bh=Ki4KiYOgynZJk
	IohftQpIcAZdeMPGKK+rWlNPaBWxTE=; b=m5jSPI02kuo8ssa+ZLSTNjboMUZai
	KAPNUCm233fdkPlVO9l9ABZhKg0uO/2W2CEJBAs1DlNJhYh8cpuP0udYhCIMn4cU
	KABm/BZtbsCrnby2kqmrqFzIJvsTqR3FxE/Wk/3PBKO0fZUMj7yGmetnj1wrq99X
	XulbUne24JyCI4vZweXrPVDySDaFvji8lWHTYNeQ9w46ofSrJjgOXYsXl/pj/U3P
	zZn2rGyt6r9vdA/930puYNiC06hlcQnhDcoG1Yj7VewYleSYUJHJtoHmmKBcnVYS
	Qx3LjElFEnCsGKkhLr4O4JqhR9slRHEplThfHpv24RpFQ0Z/RAwSL1HHg==
X-ME-Sender: <xms:RyI4ZQZUY1uCeoID3DYoP6opgjAH0GlAgQ9J6HZURv2bEepp07TKcg>
    <xme:RyI4ZbZGRhi1HSWe36gGCx0JlfndfgmTQ5TTsB6RD_s-Kp0YkqIIWMRYRS2CjEUn6
    4fFGFPkPQ6iS9_IIg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrkeekgddugeefucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd
    ertderredtnecuhfhrohhmpehvohhiugcuoehvohhiugesfhdqmhdrfhhmqeenucggtffr
    rghtthgvrhhnpeeitedvueehtdehtddvhfeuhfevhedvieelvdeiffehveelheegfedule
    ejudekvdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm
    pehvohhiugesfhdqmhdrfhhm
X-ME-Proxy: <xmx:RyI4Za_3m3QHdqJZUT8x2Eg-7fwVOH5ddmU_cn-_NskkoyJfMu_OCw>
    <xmx:RyI4ZaobJyM7VmK6xOJycOtwwTEmTm-e1KwBVeVeE1CCesx4_gbYNA>
    <xmx:RyI4ZbpHfUMTuvEEkrGm6DZ457MUYEC9stcWXH4Ize0J3AZget21sw>
    <xmx:RyI4ZY35K-R2SX770r3xlycv-ulSsl9UPWJbIOQVRlkJp_RPr66GKQ>
Feedback-ID: i2541463c:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 605202A20085; Tue, 24 Oct 2023 16:00:07 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-1048-g9229b632c5-fm-20231019.001-g9229b632
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Message-Id: <0adf3c6f-d739-4e40-9504-8633d11ebf1c@app.fastmail.com>
In-Reply-To: <20231024174540.1936912D@slippy.cwsent.com>
References: <ZTeaGFZjvcsKfbOW@int21h>
 <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org>
 <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>
 <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com>
 <20231024174540.1936912D@slippy.cwsent.com>
Date: Tue, 24 Oct 2023 19:59:46 +0000
From: void <void@f-m.fm>
To: freebsd-security@freebsd.org
Subject: Re: securelevel 1
Content-Type: text/plain
X-Spamd-Bar: -----
X-Spamd-Result: default: False [-5.32 / 15.00];
	DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-0.92)[-0.921];
	NEURAL_HAM_SHORT(-0.91)[-0.911];
	DMARC_POLICY_ALLOW(-0.50)[f-m.fm,none];
	RWL_MAILSPIKE_EXCELLENT(-0.40)[64.147.123.24:from];
	R_DKIM_ALLOW(-0.20)[f-m.fm:s=fm3,messagingengine.com:s=fm3];
	R_SPF_ALLOW(-0.20)[+ip4:64.147.123.24];
	RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.24:from];
	MIME_GOOD(-0.10)[text/plain];
	XM_UA_NO_VERSION(0.01)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	ARC_NA(0.00)[];
	ASN(0.00)[asn:29838, ipnet:64.147.123.0/24, country:US];
	FREEMAIL_ENVFROM(0.00)[f-m.fm];
	TO_DN_NONE(0.00)[];
	FREEMAIL_FROM(0.00)[f-m.fm];
	RCVD_TLS_LAST(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	FROM_EQ_ENVFROM(0.00)[];
	DKIM_TRACE(0.00)[f-m.fm:+,messagingengine.com:+];
	MIME_TRACE(0.00)[0:+];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]
X-Rspamd-Queue-Id: 4SFNFk1N5mz4V74

On Tue, 24 Oct 2023, at 17:45, Cy Schubert wrote:

> What a lot of large enterprises do is send logs off machine. A *.* log to 
> @IP or an agent does the same thing. The remote logging server also has 
> software to allow one to search the logs for a machine or multiple machines 
> allowing one to correlate messages across the network.
>
> For server admins logging into each server individually, correlating logs 
> can be time consuming and a little challenging as one must keep a lot of 
> information in mind when working with multiple machines. But with logs sent 
> to a single server a person can use software designed to correlate logs.

Yes, I'm considering that (remote logging) too. That's probably the best solution 
even with only a couple of machines.

Thanks everyone

From nobody Thu Oct 26 21:36:22 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SGfHs0W3Fz4yJR3
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Thu, 26 Oct 2023 21:36:25 +0000 (UTC)
	(envelope-from des@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SGfHr71Q9z3Ywk;
	Thu, 26 Oct 2023 21:36:24 +0000 (UTC)
	(envelope-from des@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1698356185;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=pFRXQTV+Jtvjt5PQFS9O+iPnSGXHH83kL+wuK6fZ7Og=;
	b=RdFv3J5Q3GsERkz3VTUxMpwLjv+MqzEhe5HsmGWkOIcPZ2EVt0v3EuOwXr2CpSKtVBnus5
	APXX5+wVsgwnfXagdda6m5HdXT7YKabmInPxz8zcljSP+LoLuicnHlk4g5G7qsvQ92cMEN
	JTjOWAsm8SIU9OmrTShIrmR5sVdeMdny13RDtvn8e19v3FeZC/J3HBuaPQ6RhshUW5TLqt
	Ux0yTBZCxge1hYT2PEizn7Gvubi7Ekp1Q4P/j06MAeoh/sMb8zsm3UO91SSFaZ4E0jRRmu
	i2mteqjq7SnIm3jJCqs4/XyUvxRGtUEj9i3ba9L2WdMI5ENuvqwoKoSdnHwcgA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1698356185;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=pFRXQTV+Jtvjt5PQFS9O+iPnSGXHH83kL+wuK6fZ7Og=;
	b=Ek35b2KU6cpz3/vCH6RyxcvEdfpu37CHA6UUacQ5NZ0x2cLZxMc1bCbLFlvvv2L6p4eNya
	TPbC2/NFfmCWOJHWiqztbu5I6uxT1lA0PUiWD8Cce5tDu8v5fSMIvIWvsjotATVU7TNepi
	15LGBKp5kMt0v6JaylwMuulfDAKh11bAyc3qaadOdmHdCtG6QkkUdwzHclG1ZJ/5kdjyDP
	Votp1djv76n4TMTGnzMrLffNZt1sRiUiWttqJZ8VDPAMRp4TvWBh/2gy3E40qWIeY7evjn
	DelexwHz2RNYRu3u1OJMIpwne2FkT3I5434Lc6kpiP9ZS1CLoy+1CVFSjdMapQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1698356185; a=rsa-sha256; cv=none;
	b=J40bkdxukmTogNQoW4kdsmnDimdf857Rcatw+T9IaX1JJHpus3WXZW6QtfOxydfBuQExKP
	6UnudkGiOInrGnROcEz99aqWoYJ14ymBmkMiCKI2optPZ8SSItH+Eg5qrfI4lQOZVFj7Oi
	I4S2tS+T/9MB6xdLhV1kXx/hHy7BEdnBriQ0ZFuJxdVfLFga7LvP7O6ZIjXK7jeqGJmTVm
	wMqdFJb1nrznnJSGatNTrsFRVDtt+zW3xobvZa0gN3Z9tyI9EuBoMa7Iih/r5YixsXJ9n/
	K0bOq4CDra+Z5VGeKQT93XsARXkmen8QFZ9tKhCXaGxZADgqWYhRY8CLX1Mefg==
Received: from ltc.des.no (48.115.65.81.rev.sfr.net [81.65.115.48])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: des)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4SGfHr5Nm8z1SVC;
	Thu, 26 Oct 2023 21:36:24 +0000 (UTC)
	(envelope-from des@freebsd.org)
Received: by ltc.des.no (Postfix, from userid 1001)
	id 03DBFEFAE3; Thu, 26 Oct 2023 23:36:23 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org>
To: void <void@f-m.fm>
Cc: freebsd-security@freebsd.org
Subject: Re: securelevel 1
In-Reply-To: <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com>
	(void@f-m.fm's message of "Tue, 24 Oct 2023 17:33:22 +0000")
References: <ZTeaGFZjvcsKfbOW@int21h>
	<6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org>
	<663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>
	<35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
Date: Thu, 26 Oct 2023 23:36:22 +0200
Message-ID: <86ttqd12y1.fsf@ltc.des.no>
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

void <void@f-m.fm> writes:
> In order to accomplish what I'd like, I understand that I'd need to set +=
schg
> on the individual logs, then set the securelevel afterwards and reboot.

If you set the log file +schg, it can't be written to at all.  That's
obviously not what you want.

If you set it +sappnd, it can be written to, and newsyslog will be able
to rotate it; an attacker with superuser privileges will also be able to
replace it with a doctored file.

There is no way to allow one without the other.  The usual solution is
to log to a remote machine.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org

From nobody Fri Oct 27 01:56:55 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SGm555rLfz4xZHK
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Fri, 27 Oct 2023 01:57:29 +0000 (UTC)
	(envelope-from tom@khubla.com)
Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SGm551hTDz4PZw
	for <freebsd-security@FreeBSD.org>; Fri, 27 Oct 2023 01:57:29 +0000 (UTC)
	(envelope-from tom@khubla.com)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of tom@khubla.com designates 64.68.200.34 as permitted sender) smtp.mailfrom=tom@khubla.com;
	dmarc=none
Received: from localhost (localhost [127.0.0.1])
	by mailout.easymail.ca (Postfix) with ESMTP id 99A7B6462A
	for <freebsd-security@FreeBSD.org>; Fri, 27 Oct 2023 01:56:58 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at emo07-pco.easydns.vpn
Received: from mailout.easymail.ca ([127.0.0.1])
	by localhost (emo07-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id BXGduWIH1TGK for <freebsd-security@freebsd.org>;
	Fri, 27 Oct 2023 01:56:57 +0000 (UTC)
Received: from gargamel-2.ascot.khubla.lan (d198-166-24-90.abhsia.telus.net [198.166.24.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mailout.easymail.ca (Postfix) with ESMTPSA id 56F8364622
	for <freebsd-security@FreeBSD.org>; Fri, 27 Oct 2023 01:56:57 +0000 (UTC)
To: freebsd-security@FreeBSD.org
From: Tom Everett <tom@khubla.com>
Subject: Ansible playbook for secure installs
Message-ID: <e8f2cfc6-804d-7cba-005f-919fc08e5edd@khubla.com>
Date: Thu, 26 Oct 2023 19:56:55 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:52.0)
 Gecko/20100101 PostboxApp/7.0.60
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="------------2D51A3D4DE90B9D5D9C2EEEE"
Content-Language: en-US
X-Spamd-Result: default: False [-1.32 / 15.00];
	PHISHING(2.00)[readme.md->github.com];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.82)[-0.825];
	R_SPF_ALLOW(-0.20)[+ip4:64.68.200.0/22];
	RCVD_IN_DNSWL_MED(-0.20)[64.68.200.34:from];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	ASN(0.00)[asn:16686, ipnet:64.68.200.0/22, country:CA];
	RCVD_TLS_LAST(0.00)[];
	R_DKIM_NA(0.00)[];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	FROM_EQ_ENVFROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-security@FreeBSD.org];
	BLOCKLISTDE_FAIL(0.00)[198.166.24.90:server fail];
	DMARC_NA(0.00)[khubla.com];
	RCVD_COUNT_THREE(0.00)[3];
	FROM_HAS_DN(0.00)[];
	FREEFALL_USER(0.00)[tom];
	ARC_NA(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_NONE(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	RCPT_COUNT_ONE(0.00)[1];
	RCVD_VIA_SMTP_AUTH(0.00)[]
X-Rspamd-Queue-Id: 4SGm551hTDz4PZw
X-Spamd-Bar: -

This is a multi-part message in MIME format.
--------------2D51A3D4DE90B9D5D9C2EEEE
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

For those who are interested, I have put together an Ansible playbook 
for securing FreeBSD post-install.  It borrows from the FreeBSD handbook 
and some other sites which are acknowledged in the readme.md 
<https://github.com/teverett/fbsd-secured/blob/main/README.md>

The playbook is here

https://github.com/teverett/fbsd-secured

PR's are welcome.

-- 
Sent from Postbox <https://www.postbox-inc.com>

--------------2D51A3D4DE90B9D5D9C2EEEE
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html theme="default-light" iconset="color"><head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body
 text="#000000">
For those who are interested, I have put together an Ansible playbook 
for securing FreeBSD post-install.  It borrows from the FreeBSD handbook
 and some other sites which are acknowledged in the <a 
href="https://github.com/teverett/fbsd-secured/blob/main/README.md">readme.md</a><br>
  <br>
The playbook is here<br>
  <br>
<a class="moz-txt-link-freetext" href="https://github.com/teverett/fbsd-secured">https://github.com/teverett/fbsd-secured</a><br>
  <br>
PR's are welcome.    <br>
  <br>
  <div class="moz-signature">-- <br>
<div>Sent from <a href="https://www.postbox-inc.com"><span style="color:
 rgb(0, 157, 247);">Postbox</span></a></div></div>
</body>
</html>

--------------2D51A3D4DE90B9D5D9C2EEEE--