Re: securelevel 1

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Tue, 24 Oct 2023 17:41:15 UTC
This is correct.

If you wish to completely secure your filesystems from write you would need 
to add schg and sappend to the appropriate files on the system. This of 
course means that any updates to the system, like installworld and 
installkernel, will require single user state and filing off of the schg 
bits prior to the update. You'd need to create a script to enable schg on 
all relevant files and disable it prior to update.

Back in the day at $JOB-1, when I led the Solaris Team there, the Linux 
team, next to me, were playing with setting the hardware read-only bit in 
the system drive. They also played with booting off custom ISO. Both were 
dropped as updating the servers was impossible without significant effort. 
Back in those days there were no remote consoles or ILOs so trips down the 
elevaytor to the raised floor in the basement was a common thing. I think 
securelevel when done properly would present similar challenges.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0


In message <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>, Miroslav Lachman 
wri
tes:
> On 24/10/2023 13:08, Paweł Biernacki wrote:
> > Setting kern.securelevel to 1 makes the kernel to enforce the system-level 
> immutable and append-only flags (see chflags(1/2)).
> > Unless you do something extra, syslogd will create new files without these 
> flags and newsyslog will rotate them as expected.
>
> In other words - securelevel 1 causes that you cannot remove flags on 
> files where append-only or immutable flags are set, securelevel cannot 
> be lowered on running system. But on default instalation there are only 
> few files protected by flags.
> This list is from 13.2 amd64:
>
> root@neon ~/ # find -s -x / -flags +schg,sappnd
> /.sujournal
> /lib/libc.so.7
> /lib/libcrypt.so.5
> /lib/libthr.so.3
> /libexec/ld-elf.so.1
> /libexec/ld-elf32.so.1
> /sbin/init
> /usr/bin/chpass
> /usr/bin/crontab
> /usr/bin/login
> /usr/bin/opieinfo
> /usr/bin/opiepasswd
> /usr/bin/passwd
> /usr/bin/su
> /usr/lib/librt.so.1
> /usr/lib32/libc.so.7
> /usr/lib32/libcrypt.so.5
> /usr/lib32/librt.so.1
> /usr/lib32/libthr.so.3
> /var/empty
>
> Log files are not protected.
>
> Kind regards
> Miroslav Lachman
>
>
> >> On 24 Oct 2023, at 12:19, void <void@f-m.fm> wrote:
> >>
> >> Hi,
> >>
> >> I'd like to set append-only on an arm64 system running stable/14-n265566
> >> (so securelevel=1) but how would newsyslog(8) handle it? How will it rotat
> e
> >> logs?
> >>
> >> -- 
> >>
> > 
> > 
>
>