From owner-freebsd-questions@FreeBSD.ORG Thu Jan 27 23:16:54 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 924F916A4CE for ; Thu, 27 Jan 2005 23:16:54 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 529AC43D4C for ; Thu, 27 Jan 2005 23:16:54 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id A06F15F38; Thu, 27 Jan 2005 18:16:53 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 71661-04; Thu, 27 Jan 2005 18:16:52 -0500 (EST) Received: from [192.168.1.3] (pool-68-160-236-186.ny325.east.verizon.net [68.160.236.186]) by pi.codefab.com (Postfix) with ESMTP id 4CD4C5F37; Thu, 27 Jan 2005 18:16:52 -0500 (EST) Message-ID: <41F9763E.9050200@mac.com> Date: Thu, 27 Jan 2005 18:16:14 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041217 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Sean Murphy References: <41F96A35.6090507@calarts.edu> In-Reply-To: <41F96A35.6090507@calarts.edu> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com cc: freebsd-questions@freebsd.org Subject: Re: kern secure level help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jan 2005 23:16:54 -0000 Sean Murphy wrote: > I guess by default FeeBSD runs at -1 That's right. > what would most of you recommend doing? is this primary to keep local > users (ssh) in check? does it help in remote attacks (buffer overflow) > is it even needed? Read "man securelevel" and see for yourself what it does. High securelevels are intended for dedicated applicances like network firewalls which do not have interactive users, generally are not offering services to the world, are expected to be configured once, and then left alone for long periods of time. Setting a securelevel does not help in remote-access compromises like buffer overflows in system daemons, which is why they are not particularly useful for machines supporting interactive logins and offering network services. For those, running portaudit and keeping the base-system and ports up to date is more helpful... -- -Chuck