Re: securelevel 1

From: void <void_at_f-m.fm>
Date: Fri, 27 Oct 2023 02:34:28 UTC
On Thu, Oct 26, 2023 at 11:36:22PM +0200, Dag-Erling Smørgrav wrote:
>void <void@f-m.fm> writes:
>> In order to accomplish what I'd like, I understand that I'd need to set +schg
>> on the individual logs, then set the securelevel afterwards and reboot.
>
>If you set the log file +schg, it can't be written to at all.  That's
>obviously not what you want.

Yes, I'm sorry; I meant to type +sappnd

>If you set it +sappnd, it can be written to, and newsyslog will be able
>to rotate it; an attacker with superuser privileges will also be able to
>replace it with a doctored file.

Yes. But if sappend is set on the required files, and then securelevel=1
is set, then nothing can change the flag while the system is multiuser.
That is, if I'm understanding correctly?

So, on such a system, if I understand correctly, newsyslog would need 
to be turned off.

Am I correct in understanding that securelevel could be lowered to -1
while in single user mode (for eg the purposes of upgrading); one
would have to comment out the securelevel variables in rc.conf
before booting multiuser?

newsyslog could be run on that occasion, then securelevel set to 1
again.

>There is no way to allow one without the other.  The usual solution is
>to log to a remote machine.

That's planned. 
--