Re: securelevel 1
- In reply to: Miroslav Lachman : "Re: securelevel 1"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 24 Oct 2023 17:41:15 UTC
This is correct. If you wish to completely secure your filesystems from write you would need to add schg and sappend to the appropriate files on the system. This of course means that any updates to the system, like installworld and installkernel, will require single user state and filing off of the schg bits prior to the update. You'd need to create a script to enable schg on all relevant files and disable it prior to update. Back in the day at $JOB-1, when I led the Solaris Team there, the Linux team, next to me, were playing with setting the hardware read-only bit in the system drive. They also played with booting off custom ISO. Both were dropped as updating the servers was impossible without significant effort. Back in those days there were no remote consoles or ILOs so trips down the elevaytor to the raised floor in the basement was a common thing. I think securelevel when done properly would present similar challenges. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e^(i*pi)+1=0 In message <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>, Miroslav Lachman wri tes: > On 24/10/2023 13:08, Paweł Biernacki wrote: > > Setting kern.securelevel to 1 makes the kernel to enforce the system-level > immutable and append-only flags (see chflags(1/2)). > > Unless you do something extra, syslogd will create new files without these > flags and newsyslog will rotate them as expected. > > In other words - securelevel 1 causes that you cannot remove flags on > files where append-only or immutable flags are set, securelevel cannot > be lowered on running system. But on default instalation there are only > few files protected by flags. > This list is from 13.2 amd64: > > root@neon ~/ # find -s -x / -flags +schg,sappnd > /.sujournal > /lib/libc.so.7 > /lib/libcrypt.so.5 > /lib/libthr.so.3 > /libexec/ld-elf.so.1 > /libexec/ld-elf32.so.1 > /sbin/init > /usr/bin/chpass > /usr/bin/crontab > /usr/bin/login > /usr/bin/opieinfo > /usr/bin/opiepasswd > /usr/bin/passwd > /usr/bin/su > /usr/lib/librt.so.1 > /usr/lib32/libc.so.7 > /usr/lib32/libcrypt.so.5 > /usr/lib32/librt.so.1 > /usr/lib32/libthr.so.3 > /var/empty > > Log files are not protected. > > Kind regards > Miroslav Lachman > > > >> On 24 Oct 2023, at 12:19, void <void@f-m.fm> wrote: > >> > >> Hi, > >> > >> I'd like to set append-only on an arm64 system running stable/14-n265566 > >> (so securelevel=1) but how would newsyslog(8) handle it? How will it rotat > e > >> logs? > >> > >> -- > >> > > > > > >