1*db1dd8d3Scheloha.\" $OpenBSD: securelevel.7,v 1.31 2019/08/21 20:44:09 cheloha Exp $ 2ec6ea931Shugh.\" 3ec6ea931Shugh.\" Copyright (c) 2000 Hugh Graham 4ec6ea931Shugh.\" 5ec6ea931Shugh.\" Redistribution and use in source and binary forms, with or without 6ec6ea931Shugh.\" modification, are permitted provided that the following conditions 7ec6ea931Shugh.\" are met: 8ec6ea931Shugh.\" 1. Redistributions of source code must retain the above copyright 9ec6ea931Shugh.\" notice, this list of conditions and the following disclaimer. 10ec6ea931Shugh.\" 2. Redistributions in binary form must reproduce the above copyright 11ec6ea931Shugh.\" notice, this list of conditions and the following disclaimer in the 12ec6ea931Shugh.\" documentation and/or other materials provided with the distribution. 13ec6ea931Shugh.\" 14ec6ea931Shugh.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 15ec6ea931Shugh.\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF 16ec6ea931Shugh.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17ec6ea931Shugh.\" IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 18ec6ea931Shugh.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 19ec6ea931Shugh.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 20ec6ea931Shugh.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21ec6ea931Shugh.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 22ec6ea931Shugh.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 23ec6ea931Shugh.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 24ec6ea931Shugh.\" POSSIBILITY OF SUCH DAMAGE. 25ec6ea931Shugh.\" 26*db1dd8d3Scheloha.Dd $Mdocdate: August 21 2019 $ 27ec6ea931Shugh.Dt SECURELEVEL 7 28ec6ea931Shugh.Os 29ec6ea931Shugh.Sh NAME 30ec6ea931Shugh.Nm securelevel 31ec6ea931Shugh.Nd securelevel and its effects 324345ed87Sjmc.Sh DESCRIPTION 33ec6ea931ShughThe 34ec6ea931Shugh.Ox 35ec6ea931Shughkernel provides four levels of system security: 36ec6ea931Shugh.Bl -tag -width flag 37f90efb73Shugh.It \&-1 Em Permanently insecure mode 38ec6ea931Shugh.Bl -hyphen -compact 39ec6ea931Shugh.It 40c2ceb183Shugh.Xr init 8 41c2ceb183Shughwill not attempt to raise the securelevel 42c2ceb183Shugh.It 43c2ceb183Shughmay only be set with 44c2ceb183Shugh.Xr sysctl 8 45c2ceb183Shughwhile the system is insecure 460ddb91ccShugh.It 470ddb91ccShughotherwise identical to securelevel 0 48c2ceb183Shugh.El 49c2ceb183Shugh.It \ 0 Em Insecure mode 50c2ceb183Shugh.Bl -hyphen -compact 51c2ceb183Shugh.It 52c2ceb183Shughused during bootstrapping and while the system is single-user 53c2ceb183Shugh.It 54c2ceb183Shughall devices may be read or written subject to their permissions 55c2ceb183Shugh.It 56e98b8f77Ssthensystem file flags may be cleared with 57e98b8f77Ssthen.Xr chflags 2 58c2ceb183Shugh.El 59c2ceb183Shugh.It \ 1 Em Secure mode 60c2ceb183Shugh.Bl -hyphen -compact 61c2ceb183Shugh.It 62c2ceb183Shughdefault mode when system is multi-user 63c2ceb183Shugh.It 64ec6ea931Shughsecurelevel may no longer be lowered except by init 65ec6ea931Shugh.It 66ec6ea931Shugh.Pa /dev/mem 67ec6ea931Shughand 68ec6ea931Shugh.Pa /dev/kmem 6920d80f81Sschwarzecannot be opened 70ec6ea931Shugh.It 71e5815a3aShughraw disk devices of mounted file systems are read-only 72e5815a3aShugh.It 73e5815a3aShughsystem immutable and append-only file flags may not be removed 74e5815a3aShugh.It 7567d12a8bSjmcthe 762f01bc0aSjmc.Va fs.posix.setuid , 772f01bc0aSjmc.Va hw.allowpowerdown , 782f01bc0aSjmc.Va kern.allowkmem , 79*db1dd8d3Scheloha.Va kern.utc_offset , 802f01bc0aSjmc.Va net.inet.ip.sourceroute , 812f01bc0aSjmcand 823ece6435Sjmc.Va machdep.kbdreset 833ece6435Sjmc.Xr sysctl 8 842f01bc0aSjmcvariables may not be changed 85f07caa6bSjmc.It 86f07caa6bSjmcthe 872f01bc0aSjmc.Va ddb.console , 882f01bc0aSjmc.Va ddb.panic , 89f07caa6bSjmcand 901d8af184Sjmc.Va machdep.allowaperture 911d8af184Sjmc.Xr sysctl 8 922f01bc0aSjmcvariables may not be raised 93e98b8f77Ssthen.It 94e98b8f77Ssthen.Xr gpioctl 8 95e98b8f77Ssthenmay only access GPIO pins configured at system startup 96ec6ea931Shugh.El 97c2ceb183Shugh.It \ 2 Em Highly secure mode 98ec6ea931Shugh.Bl -hyphen -compact 99ec6ea931Shugh.It 100c2ceb183Shughall effects of securelevel 1 101c2ceb183Shugh.It 102c2ceb183Shughraw disk devices are always read-only whether mounted or not 103ec6ea931Shugh.It 104ec6ea931Shugh.Xr settimeofday 2 105b9c810daSnordinand 106b9c810daSnordin.Xr clock_settime 2 107b9c810daSnordinmay not set the time backwards or close to overflow 108409fbba2Shugh.It 109012eef67Sjmc.Xr pf 4 110012eef67Sjmcfilter and NAT rules may not be altered 111ec6ea931Shugh.El 112ec6ea931Shugh.El 1134345ed87Sjmc.Pp 114c2ceb183ShughSecurelevel provides convenient means of 115ec6ea931Shugh.Dq locking down 1161f53fde1Saarona system to a degree suited to its environment. 11750549de0SajacoutotIt is normally set at boot by 11850549de0Sajacoutot.Xr rc 8 , 11950549de0Sajacoutotor the superuser may raise securelevel at any time by modifying the 120ec6ea931Shugh.Va kern.securelevel 121ec6ea931Shugh.Xr sysctl 8 1221f53fde1Saaronvariable. 1231f53fde1SaaronHowever, only 124ec6ea931Shugh.Xr init 8 1251f53fde1Saaronmay lower it once the system has entered secure mode. 126ec6ea931Shugh.Pp 127c2ceb183ShughHighly secure mode may seem Draconian, but is intended as a last line of 1281f53fde1Saarondefence should the superuser account be compromised. 1291f53fde1SaaronIts effects preclude 130c2ceb183Shughcircumvention of file flags by direct modification of a raw disk device, 131c2ceb183Shughor erasure of a file system by means of 132ec6ea931Shugh.Xr newfs 8 . 133ec6ea931ShughFurther, it can limit the potential damage of a compromised 134ec6ea931Shugh.Dq firewall 1351f53fde1Saaronby prohibiting the modification of packet filter rules. 1361f53fde1SaaronPreventing 137ec6ea931Shughthe system clock from being set backwards aids in post-mortem analysis 1381f53fde1Saaronand helps ensure the integrity of logs. 1391f53fde1SaaronPrecision timekeeping is not 140ec6ea931Shughaffected because the clock may still be slowed. 1410ddb91ccShugh.Pp 1420ddb91ccShughBecause securelevel can be modified with the in-kernel debugger 1430ddb91ccShugh.Xr ddb 4 , 1440ddb91ccShugha convenient means of locking it off (if present) is provided 145f07caa6bSjmcat securelevels 1 and 2. 1461f53fde1SaaronThis is accomplished by setting 1470ddb91ccShugh.Va ddb.console 1480ddb91ccShughand 1490ddb91ccShugh.Va ddb.panic 1500ddb91ccShughto 0 with the 1510ddb91ccShugh.Xr sysctl 8 1520ddb91ccShughutility. 153ec6ea931Shugh.Sh FILES 154fa65279dSaaron.Bl -tag -width /etc/rc.securelevel -compact 155ec6ea931Shugh.It Pa /etc/rc.securelevel 156fa65279dSaaroncommands that run before the security level changes 157ec6ea931Shugh.El 158ec6ea931Shugh.Sh SEE ALSO 159d4da35e7Saaron.Xr init 8 , 160d4da35e7Saaron.Xr rc 8 , 161d4da35e7Saaron.Xr sysctl 8 162ec6ea931Shugh.Sh HISTORY 163ec6ea931ShughThe 164ec6ea931Shugh.Nm 165ec6ea931Shughmanual page first appeared in 166ec6ea931Shugh.Ox 2.6 . 1671f53fde1Saaron.Sh BUGS 1681f53fde1SaaronThe list of securelevel's effects may not be comprehensive. 169