From owner-freebsd-questions@FreeBSD.ORG Thu Oct 2 17:44:24 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 197611065730 for ; Thu, 2 Oct 2008 17:44:24 +0000 (UTC) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: from mail1.sea5.speakeasy.net (mail1.sea5.speakeasy.net [69.17.117.3]) by mx1.freebsd.org (Postfix) with ESMTP id E83348FC21 for ; Thu, 2 Oct 2008 17:44:23 +0000 (UTC) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: (qmail 31037 invoked from network); 2 Oct 2008 17:44:23 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail1.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 2 Oct 2008 17:44:23 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id A4F3B2845C; Thu, 2 Oct 2008 13:44:21 -0400 (EDT) To: "DSA - JCR" References: <54674.217.114.136.134.1222857247.squirrel@mail.dsa.es> From: Lowell Gilbert Date: Thu, 02 Oct 2008 13:44:21 -0400 In-Reply-To: <54674.217.114.136.134.1222857247.squirrel@mail.dsa.es> (DSA's message of "Wed\, 1 Oct 2008 10\:34\:07 -0000 \(GMT\)") Message-ID: <44iqsayjre.fsf@be-well.ilk.org> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-questions@freebsd.org Subject: Re: Securing system with kern.securelevel X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2008 17:44:24 -0000 "DSA - JCR" writes: > I would like to use securelevel to secure a backup schedluded box made > with FreeBSD. > > This box mount and unmount external USB disk where the backup is made once > a week. In that case, you can't set the securelevel higher than 1. > Which would be the correct secure level ? 1, 2, or 3? 0 or 1. > I don't want nobody modify scripts and root things, like adding a user to > make the thing by itself, ... or modify my crontab scripts, etc... Is this a machine that typically has users logging into it? If not, I would concentrate on securing the login procedures available rather than working on limiting the abilities of accounts once they have access to the machine. Securelevel is useful in a fairly narrow range of situations: some of the less obvious are that you have to be sure that you will notice quickly if the machine reboots, and the machine has to be physically secure. > Also, where i must put the kern.securelevel? Set it in rc.conf. > I didnt understood very well in the manual and handbook in which part of > the bootin process (rc) i must put the line in rc.conf? See the manual for rc.conf(5). You will want the kern_securelevel_enable and kern_securelevel variables. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/