Re: Securing FreeBSD.
- In reply to: Dewayne Geraghty : "Re: Securing FreeBSD."
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 05 Apr 2025 07:24:10 UTC
Le 05/04/2025 à 12:40:53+1100, Dewayne Geraghty a écrit Hi, > Good advise Albert. If you really want to prevent root access then, the > next step is > kldload mac_bsdextended > and use ugidfw. > > Refer to handbook example: > https://docs.freebsd.org/en/books/handbook/book/#mac-bsdextended > I use this for some files. Thanks I know that exist...but never read it. Do you think with that I can prevent root to destroy a zpool (or format a disk) ? Regards > > > Isn't the very definition of root (superuser) is that they can do *ANYTHING*? > > > > Well....not always...try this : > > > > echo 'kern.securelevel=2' >> /etc/sysctl.conf > > chflags schg /etc/sysctl.conf > > sysctl kern.securelevel=2 > > touch /root/file > > chflags schg /root/file > > > > and tell me how you will remove the file > > > > /root/file > > > > without be in the front of the server (no IPMI, no drac etc.) > > > > Regards > > -- Albert SHIH 🦫 🐸 France Heure locale/Local time: sam. 05 avril 2025 09:22:30 CEST