From owner-freebsd-questions@FreeBSD.ORG  Sun Jun 21 17:31:22 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6771D106566C
	for <freebsd-questions@freebsd.org>;
	Sun, 21 Jun 2009 17:31:22 +0000 (UTC)
	(envelope-from freebsd-questions-local@be-well.ilk.org)
Received: from mail1.sea5.speakeasy.net (mail1.sea5.speakeasy.net
	[69.17.117.3]) by mx1.freebsd.org (Postfix) with ESMTP id 3D61C8FC13
	for <freebsd-questions@freebsd.org>;
	Sun, 21 Jun 2009 17:31:22 +0000 (UTC)
	(envelope-from freebsd-questions-local@be-well.ilk.org)
Received: (qmail 27281 invoked from network); 21 Jun 2009 17:31:21 -0000
Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org)
	([66.92.78.145])
	(envelope-sender <freebsd-questions-local@be-well.ilk.org>)
	by mail1.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP
	for <freebsd-questions@freebsd.org>; 21 Jun 2009 17:31:21 -0000
Received: from lowell-desk.lan (lowell-desk.lan [172.30.250.6])
	by be-well.ilk.org (Postfix) with ESMTP id 8D51E5084E;
	Sun, 21 Jun 2009 13:31:15 -0400 (EDT)
Received: by lowell-desk.lan (Postfix, from userid 1147)
	id E42291CC97; Sun, 21 Jun 2009 13:31:14 -0400 (EDT)
To: Tim Judd <tajudd@gmail.com>
References: <ade45ae90906181843j7c33a56dkd79c777ad67ff5cc@mail.gmail.com>
From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
Date: Sun, 21 Jun 2009 13:31:14 -0400
In-Reply-To: <ade45ae90906181843j7c33a56dkd79c777ad67ff5cc@mail.gmail.com>
	(Tim Judd's message of "Thu\, 18 Jun 2009 19\:43\:42 -0600")
Message-ID: <441vpdmr31.fsf@lowell-desk.lan>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: freebsd-questions <freebsd-questions@freebsd.org>
Subject: Re: kern.securelevel
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: freebsd-questions <freebsd-questions@freebsd.org>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jun 2009 17:31:22 -0000

Tim Judd <tajudd@gmail.com> writes:

> Something dawned on me.  FreeBSD/Open/Net are all well secured
> systems.  On an Internet-facing router, would applying a higher
> kern.securelevel provide any better, tighter, higher security if the
> machine was broken into?  Given you need to lower the securelevel
> before multiuser, it is a reasonable to think raising the securelevel
> will give higher comfort feeling?

I can't understand your last sentence.

The obvious thing is that a raised securelevel only helps if it doesn't
get in the way of operations you need to do.  A bit less obvious is that
it only helps if you are sure you will know if the system reboots.

-- 
Lowell Gilbert, embedded/networking software engineer, Boston area
		http://be-well.ilk.org/~lowell/