Re: Securing FreeBSD.

From: Dewayne Geraghty <dewayne_at_heuristicsystems.com.au>
Date: Sat, 05 Apr 2025 01:40:53 UTC
Good advise Albert.  If you really want to prevent root access then, the 
next step is
kldload mac_bsdextended
and use ugidfw.

Refer to handbook example:
https://docs.freebsd.org/en/books/handbook/book/#mac-bsdextended
I use this for some files.

>> Isn't the very definition of root (superuser) is that they can do *ANYTHING*?
> 
> Well....not always...try this :
> 
>    echo 'kern.securelevel=2' >> /etc/sysctl.conf
>    chflags schg /etc/sysctl.conf
>    sysctl kern.securelevel=2
>    touch /root/file
>    chflags schg /root/file
> 
> and tell me how you will remove the file
> 
>    /root/file
> 
> without be in the front of the server (no IPMI, no drac etc.)
> 
> Regards