From nobody Tue Oct 24 17:41:15 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SFK9W15wjz4yJ5f for ; Tue, 24 Oct 2023 17:41:19 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SFK9V6DzRz3NLj for ; Tue, 24 Oct 2023 17:41:18 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4002a.ext.cloudfilter.net ([10.228.9.250]) by cmsmtp with ESMTPS id vKt6qJcVJ8jpTvLP4qfCTl; Tue, 24 Oct 2023 17:41:18 +0000 Received: from spqr.komquats.com ([70.66.152.170]) by cmsmtp with ESMTPSA id vLP2qYDjCnCF0vLP3qvyK3; Tue, 24 Oct 2023 17:41:18 +0000 X-Authority-Analysis: v=2.4 cv=MPFzJeVl c=1 sm=1 tr=0 ts=653801be a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17 a=8nJEP1OIZ-IA:10 a=bhdUkHdE2iEA:10 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=bp6069qXgyUV7m1xSUoA:9 a=wPNLvfGTeEIA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 0DC99355; Tue, 24 Oct 2023 10:41:16 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id EEC0C1BC; Tue, 24 Oct 2023 10:41:15 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Miroslav Lachman <000.fbsd@quip.cz> cc: void , freebsd-security@freebsd.org Subject: Re: securelevel 1 In-reply-to: <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz> References: <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org> <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz> Comments: In-reply-to Miroslav Lachman <000.fbsd@quip.cz> message dated "Tue, 24 Oct 2023 13:31:12 +0200." List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Date: Tue, 24 Oct 2023 10:41:15 -0700 Message-Id: <20231024174115.EEC0C1BC@slippy.cwsent.com> X-CMAE-Envelope: MS4xfCw/dTTXhS3BualycxClOfyd5yz2CGa3N3ZOBORhBx2B2YktTRAtsl7CPKbdLiuxLYmtHProd8Zr5Lsazf5zgjHt0STRokkQU1AyqIPdxX4JAH8VsbqV BpR4mfRvMNGPCgQbaJ+x+Ds6Ix9Y7y1D3njdboD+beOAMbJAi8VsH9hJJv6HJn+4t9Bjke/1qfQJLd4f6aVVeS0MljL6Q05QoPo+7RhA5jphiQglZUFoXUnf CFMHhGD6Ob02yzoryOUQwvjVTvyh4f2cAhaQCX2FtFs= X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] X-Rspamd-Queue-Id: 4SFK9V6DzRz3NLj This is correct. If you wish to completely secure your filesystems from write you would need to add schg and sappend to the appropriate files on the system. This of course means that any updates to the system, like installworld and installkernel, will require single user state and filing off of the schg bits prior to the update. You'd need to create a script to enable schg on all relevant files and disable it prior to update. Back in the day at $JOB-1, when I led the Solaris Team there, the Linux team, next to me, were playing with setting the hardware read-only bit in the system drive. They also played with booting off custom ISO. Both were dropped as updating the servers was impossible without significant effort. Back in those days there were no remote consoles or ILOs so trips down the elevaytor to the raised floor in the basement was a common thing. I think securelevel when done properly would present similar challenges. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0 In message <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>, Miroslav Lachman wri tes: > On 24/10/2023 13:08, Paweł Biernacki wrote: > > Setting kern.securelevel to 1 makes the kernel to enforce the system-level > immutable and append-only flags (see chflags(1/2)). > > Unless you do something extra, syslogd will create new files without these > flags and newsyslog will rotate them as expected. > > In other words - securelevel 1 causes that you cannot remove flags on > files where append-only or immutable flags are set, securelevel cannot > be lowered on running system. But on default instalation there are only > few files protected by flags. > This list is from 13.2 amd64: > > root@neon ~/ # find -s -x / -flags +schg,sappnd > /.sujournal > /lib/libc.so.7 > /lib/libcrypt.so.5 > /lib/libthr.so.3 > /libexec/ld-elf.so.1 > /libexec/ld-elf32.so.1 > /sbin/init > /usr/bin/chpass > /usr/bin/crontab > /usr/bin/login > /usr/bin/opieinfo > /usr/bin/opiepasswd > /usr/bin/passwd > /usr/bin/su > /usr/lib/librt.so.1 > /usr/lib32/libc.so.7 > /usr/lib32/libcrypt.so.5 > /usr/lib32/librt.so.1 > /usr/lib32/libthr.so.3 > /var/empty > > Log files are not protected. > > Kind regards > Miroslav Lachman > > > >> On 24 Oct 2023, at 12:19, void wrote: > >> > >> Hi, > >> > >> I'd like to set append-only on an arm64 system running stable/14-n265566 > >> (so securelevel=1) but how would newsyslog(8) handle it? How will it rotat > e > >> logs? > >> > >> -- > >> > > > > > >