From nobody Tue Oct 24 11:31:12 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SF8yg3kkkz4xw6k for ; Tue, 24 Oct 2023 11:31:23 +0000 (UTC) (envelope-from SRS0=TlK7=GG=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4SF8yf4FJQz4LtM for ; Tue, 24 Oct 2023 11:31:22 +0000 (UTC) (envelope-from SRS0=TlK7=GG=quip.cz=000.fbsd@elsa.codelab.cz) Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of "SRS0=TlK7=GG=quip.cz=000.fbsd@elsa.codelab.cz" has no SPF policy when checking 94.124.105.4) smtp.mailfrom="SRS0=TlK7=GG=quip.cz=000.fbsd@elsa.codelab.cz"; dmarc=none Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 1BD89D788A; Tue, 24 Oct 2023 13:31:14 +0200 (CEST) Received: from [192.168.145.49] (ip-89-177-27-225.bb.vodafone.cz [89.177.27.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 6C68AD788C; Tue, 24 Oct 2023 13:31:12 +0200 (CEST) Message-ID: <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz> Date: Tue, 24 Oct 2023 13:31:12 +0200 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: securelevel 1 Content-Language: cs-Cestina To: void Cc: freebsd-security@freebsd.org References: <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org> From: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Bar: - X-Spamd-Result: default: False [-1.78 / 15.00]; AUTH_NA(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.988]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=TlK7=GG=quip.cz=000.fbsd@elsa.codelab.cz]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; FREEMAIL_TO(0.00)[f-m.fm]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=TlK7=GG=quip.cz=000.fbsd@elsa.codelab.cz]; R_SPF_NA(0.00)[no SPF record]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; RCVD_TLS_LAST(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_SOME(0.00)[]; DMARC_NA(0.00)[quip.cz]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4SF8yf4FJQz4LtM On 24/10/2023 13:08, Paweł Biernacki wrote: > Setting kern.securelevel to 1 makes the kernel to enforce the system-level immutable and append-only flags (see chflags(1/2)). > Unless you do something extra, syslogd will create new files without these flags and newsyslog will rotate them as expected. In other words - securelevel 1 causes that you cannot remove flags on files where append-only or immutable flags are set, securelevel cannot be lowered on running system. But on default instalation there are only few files protected by flags. This list is from 13.2 amd64: root@neon ~/ # find -s -x / -flags +schg,sappnd /.sujournal /lib/libc.so.7 /lib/libcrypt.so.5 /lib/libthr.so.3 /libexec/ld-elf.so.1 /libexec/ld-elf32.so.1 /sbin/init /usr/bin/chpass /usr/bin/crontab /usr/bin/login /usr/bin/opieinfo /usr/bin/opiepasswd /usr/bin/passwd /usr/bin/su /usr/lib/librt.so.1 /usr/lib32/libc.so.7 /usr/lib32/libcrypt.so.5 /usr/lib32/librt.so.1 /usr/lib32/libthr.so.3 /var/empty Log files are not protected. Kind regards Miroslav Lachman >> On 24 Oct 2023, at 12:19, void wrote: >> >> Hi, >> >> I'd like to set append-only on an arm64 system running stable/14-n265566 >> (so securelevel=1) but how would newsyslog(8) handle it? How will it rotate >> logs? >> >> -- >> > >