From owner-freebsd-questions  Mon Nov 26  7: 4:52 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from guru.mired.org (okc-65-31-203-60.mmcable.com [65.31.203.60])
	by hub.freebsd.org (Postfix) with SMTP id DCBD537B416
	for <questions@freebsd.org>; Mon, 26 Nov 2001 07:04:48 -0800 (PST)
Received: (qmail 61801 invoked by uid 100); 26 Nov 2001 15:04:47 -0000
From: Mike Meyer <mwm@mired.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15362.23055.336143.894625@guru.mired.org>
Date: Mon, 26 Nov 2001 09:04:47 -0600
To: "Anthony Atkielski" <anthony@freebie.atkielski.com>
Cc: questions@freebsd.org
Subject: Re: What is the best secure_level setting?
In-Reply-To: <7413761@toto.iv>
X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Anthony Atkielski <anthony@freebie.atkielski.com> types:
> I am looking at secure_level in FreeBSD and wondering what setting is
> appropriate.  The default seems to be the lowest possible setting of -1, but I
> don't see any obvious reason why I can't run at +1.  What levels do you all run
> your systems at normally?
> 
> I've already been warned that X servers won't run on a machine at
> secure_level=1, but for me that's just another reason not to use X servers on
> the host machine, not a reason to keep the secure_level lower.

Once you turn it up to 1, you can't install a new kernel or load
kernel modules. Other things - hardware health monitors, for instance
- also fail. For those reasons, I run things that aren't accessible
from the internet at large at -1. If an attacker has a shell account
on such a machine, the network is already fubar'ed, and I like being
able to install new kernels and run hardware health monitors on
them. Things that can be reached from the internet are set to
3. System things on them don't change very often, so this isn't much
of an inconvenience.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Q: How do you make the gods laugh?		A: Tell them your plans.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message