Date: Tue, 24 Oct 2023 13:31:12 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: void <void@f-m.fm> Cc: freebsd-security@freebsd.org Subject: Re: securelevel 1 Message-ID: <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz> In-Reply-To: <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org> References: <ZTeaGFZjvcsKfbOW@int21h> <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24/10/2023 13:08, Paweł Biernacki wrote: > Setting kern.securelevel to 1 makes the kernel to enforce the system-level immutable and append-only flags (see chflags(1/2)). > Unless you do something extra, syslogd will create new files without these flags and newsyslog will rotate them as expected. In other words - securelevel 1 causes that you cannot remove flags on files where append-only or immutable flags are set, securelevel cannot be lowered on running system. But on default instalation there are only few files protected by flags. This list is from 13.2 amd64: root@neon ~/ # find -s -x / -flags +schg,sappnd /.sujournal /lib/libc.so.7 /lib/libcrypt.so.5 /lib/libthr.so.3 /libexec/ld-elf.so.1 /libexec/ld-elf32.so.1 /sbin/init /usr/bin/chpass /usr/bin/crontab /usr/bin/login /usr/bin/opieinfo /usr/bin/opiepasswd /usr/bin/passwd /usr/bin/su /usr/lib/librt.so.1 /usr/lib32/libc.so.7 /usr/lib32/libcrypt.so.5 /usr/lib32/librt.so.1 /usr/lib32/libthr.so.3 /var/empty Log files are not protected. Kind regards Miroslav Lachman >> On 24 Oct 2023, at 12:19, void <void@f-m.fm> wrote: >> >> Hi, >> >> I'd like to set append-only on an arm64 system running stable/14-n265566 >> (so securelevel=1) but how would newsyslog(8) handle it? How will it rotate >> logs? >> >> -- >> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?663fd243-94ec-40c1-ac66-ca8e3d5f278d>