From owner-freebsd-doc@FreeBSD.ORG Fri Jul 29 03:50:22 2005 Return-Path: X-Original-To: freebsd-doc@hub.freebsd.org Delivered-To: freebsd-doc@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC41B16A420 for ; Fri, 29 Jul 2005 03:50:22 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E125443D49 for ; Fri, 29 Jul 2005 03:50:20 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6T3oKTc017949 for ; Fri, 29 Jul 2005 03:50:20 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6T3oKDw017948; Fri, 29 Jul 2005 03:50:20 GMT (envelope-from gnats) Resent-Date: Fri, 29 Jul 2005 03:50:20 GMT Resent-Message-Id: <200507290350.j6T3oKDw017948@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-doc@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, garys@opusnet.com Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BA1716A41F for ; Fri, 29 Jul 2005 03:43:39 +0000 (GMT) (envelope-from garys@opusnet.com) Received: from opusnet.com (mail.opusnet.com [209.210.200.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id D259A43D46 for ; Fri, 29 Jul 2005 03:43:38 +0000 (GMT) (envelope-from garys@opusnet.com) Received: from localhost.localhost [70.98.246.232] by opusnet.com with ESMTP (SMTPD32-8.05) id A5E64E5B00F0; Thu, 28 Jul 2005 20:43:34 -0700 Received: from localhost.localhost (localhost.localhost [127.0.0.1]) by localhost.localhost (8.13.3/8.13.3) with ESMTP id j6T3iaBM081943 for ; Thu, 28 Jul 2005 20:44:36 -0700 (PDT) (envelope-from garys@opusnet.com) Received: (from jojo@localhost) by localhost.localhost (8.13.3/8.13.3/Submit) id j6T3iVOR081942; Thu, 28 Jul 2005 20:44:31 -0700 (PDT) (envelope-from garys@opusnet.com) Message-Id: Date: Thu, 28 Jul 2005 20:44:31 -0700 From: "Gary W. Swearingen" To: FreeBSD-gnats-submit@FreeBSD.org Cc: Subject: docs/84266: security(8) manpage should have init(8)'s list of security levels X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: garys@opusnet.com List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 03:50:23 -0000 >Number: 84266 >Category: docs >Synopsis: security(8) manpage should have init(8)'s list of security levels >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Jul 29 03:50:20 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Gary W. Swearingen >Release: FreeBSD 5.4-RELEASE i386 >Organization: none >Environment: n/a >Description: The init(8) manpage says what init(8) does with the system security levels, but it's rather off-topic to have the description of the security levels there. The security(7) manpage is a better home for it. >How-To-Repeat: n/a >Fix: Move the descriptions and edit the contexts a bit. I also changed "securelevel" to "secure level" a few times. --- /pr/work/security..orig.7 Thu Jul 28 19:58:11 2005 +++ /pr/work/security.7 Thu Jul 28 20:33:59 2005 @@ -21,7 +21,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/share/man/man7/security.7,v 1.39 2004/08/07 04:40:20 imp Exp $ +.\" $FreeBSD: Exp $ .\" .Dd September 18, 1999 .Dt SECURITY 7 @@ -498,14 +498,14 @@ .Xr bpf 4 device or other sniffing device on a running kernel. To avoid these problems you have to run -the kernel at a higher secure level, at least securelevel 1. -The securelevel can be set with a +the kernel at a higher secure level, at least secure level 1. +The secure level can be set with a .Xr sysctl 8 on the .Va kern.securelevel variable. Once you have -set the securelevel to 1, write access to raw devices will be denied and +set the secure level to 1, write access to raw devices will be denied and special .Xr chflags 1 flags, such as @@ -515,7 +515,7 @@ that the .Cm schg flag is set on critical startup binaries, directories, and -script files \(em everything that gets run up to the point where the securelevel +script files \(em everything that gets run up to the point where the secure level is set. This might be overdoing it, and upgrading the system is much more difficult when you operate at a higher secure level. @@ -533,6 +533,62 @@ It should be noted that being too draconian in what you attempt to protect may prevent the all-important detection of an intrusion. +.Pp +The kernel runs with five different levels of security. +Any super-user process can raise the security level, but no process +can lower it. +The security levels are: +.Bl -tag -width flag +.It Ic -1 +Permanently insecure mode \- always run the system in level 0 mode. +This is the default initial value. +.It Ic 0 +Insecure mode \- immutable and append-only flags may be turned off. +All devices may be read or written subject to their permissions. +.It Ic 1 +Secure mode \- the system immutable and system append-only flags may not +be turned off; +disks for mounted file systems, +.Pa /dev/mem , +.Pa /dev/kmem +and +.Pa /dev/io +(if your platform has it) may not be opened for writing; +kernel modules (see +.Xr kld 4 ) +may not be loaded or unloaded. +.It Ic 2 +Highly secure mode \- same as secure mode, plus disks may not be +opened for writing (except by +.Xr mount 2 ) +whether mounted or not. +This level precludes tampering with file systems by unmounting them, +but also inhibits running +.Xr newfs 8 +while the system is multi-user. +.Pp +In addition, kernel time changes are restricted to less than or equal to one +second. +Attempts to change the time by more than this will log the message +.Dq Time adjustment clamped to +1 second . +.It Ic 3 +Network secure mode \- same as highly secure mode, plus +IP packet filter rules (see +.Xr ipfw 8 , +.Xr ipfirewall 4 +and +.Xr pfctl 8 ) +cannot be changed and +.Xr dummynet 4 +or +.Xr pf 4 +configuration cannot be adjusted. +.El +.Pp +The secure level is discussed further in +.Xr init 8 +and can be configured with variables documented in +.Xr rc.conf 8 . .Sh CHECKING FILE INTEGRITY: BINARIES, CONFIG FILES, ETC When it comes right down to it, you can only protect your core system configuration and control files so much before the convenience factor --- /pr/work/init..orig.8 Thu Jul 28 19:59:24 2005 +++ /pr/work/init.8 Thu Jul 28 20:33:47 2005 @@ -29,7 +29,7 @@ .\" SUCH DAMAGE. .\" .\" @(#)init.8 8.3 (Berkeley) 4/18/94 -.\" $FreeBSD: src/sbin/init/init.8,v 1.45 2004/07/22 10:38:13 keramida Exp $ +.\" $FreeBSD: Exp $ .\" .Dd April 18, 1994 .Dt INIT 8 @@ -87,58 +87,9 @@ is marked as .Dq secure . .Pp -The kernel runs with five different levels of security. -Any super-user process can raise the security level, but no process -can lower it. -The security levels are: -.Bl -tag -width flag -.It Ic -1 -Permanently insecure mode \- always run the system in level 0 mode. -This is the default initial value. -.It Ic 0 -Insecure mode \- immutable and append-only flags may be turned off. -All devices may be read or written subject to their permissions. -.It Ic 1 -Secure mode \- the system immutable and system append-only flags may not -be turned off; -disks for mounted file systems, -.Pa /dev/mem , -.Pa /dev/kmem -and -.Pa /dev/io -(if your platform has it) may not be opened for writing; -kernel modules (see -.Xr kld 4 ) -may not be loaded or unloaded. -.It Ic 2 -Highly secure mode \- same as secure mode, plus disks may not be -opened for writing (except by -.Xr mount 2 ) -whether mounted or not. -This level precludes tampering with file systems by unmounting them, -but also inhibits running -.Xr newfs 8 -while the system is multi-user. -.Pp -In addition, kernel time changes are restricted to less than or equal to one -second. -Attempts to change the time by more than this will log the message -.Dq Time adjustment clamped to +1 second . -.It Ic 3 -Network secure mode \- same as highly secure mode, plus -IP packet filter rules (see -.Xr ipfw 8 , -.Xr ipfirewall 4 -and -.Xr pfctl 8 ) -cannot be changed and -.Xr dummynet 4 -or -.Xr pf 4 -configuration cannot be adjusted. -.El -.Pp -If the security level is initially nonzero, then +If the kernel security level (see +.Xr security 7 ) +is initially nonzero, then .Nm leaves it unchanged. Otherwise, @@ -161,9 +112,7 @@ .Dq host system will not be effected. Part of the information set up in the kernel to support a jail -is a per-jail -.Dq securelevel -setting. +is a per-jail setting of the security level. This allows running a higher security level inside of a jail than that of the host system. See @@ -392,19 +341,13 @@ .Xr kill 1 , .Xr login 1 , .Xr sh 1 , -.Xr dummynet 4 , -.Xr ipfirewall 4 , -.Xr kld 4 , -.Xr pf 4 , .Xr ttys 5 , -.Xr crash 8 , .Xr getty 8 , .Xr halt 8 , -.Xr ipfw 8 , .Xr jail 8 , -.Xr pfctl 8 , .Xr rc 8 , .Xr reboot 8 , +.Xr security 7 , .Xr shutdown 8 , .Xr sysctl 8 .Sh HISTORY >Release-Note: >Audit-Trail: >Unformatted: