1.\" $OpenBSD: securelevel.7,v 1.23 2011/06/24 19:47:48 naddy Exp $ 2.\" 3.\" Copyright (c) 2000 Hugh Graham 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 15.\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF 16.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17.\" IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 18.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 19.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 20.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 22.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 23.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 24.\" POSSIBILITY OF SUCH DAMAGE. 25.\" 26.Dd $Mdocdate: June 24 2011 $ 27.Dt SECURELEVEL 7 28.Os 29.Sh NAME 30.Nm securelevel 31.Nd securelevel and its effects 32.Sh DESCRIPTION 33The 34.Ox 35kernel provides four levels of system security: 36.Bl -tag -width flag 37.It \&-1 Em Permanently insecure mode 38.Bl -hyphen -compact 39.It 40.Xr init 8 41will not attempt to raise the securelevel 42.It 43may only be set with 44.Xr sysctl 8 45while the system is insecure 46.It 47otherwise identical to securelevel 0 48.El 49.It \ 0 Em Insecure mode 50.Bl -hyphen -compact 51.It 52used during bootstrapping and while the system is single-user 53.It 54all devices may be read or written subject to their permissions 55.It 56system file flags may be cleared with 57.Xr chflags 2 58.El 59.It \ 1 Em Secure mode 60.Bl -hyphen -compact 61.It 62default mode when system is multi-user 63.It 64securelevel may no longer be lowered except by init 65.It 66.Pa /dev/mem 67and 68.Pa /dev/kmem 69may not be written to 70.It 71raw disk devices of mounted file systems are read-only 72.It 73system immutable and append-only file flags may not be removed 74.It 75kernel modules may not be loaded or unloaded 76.It 77the 78.Va fs.posix.setuid 79.Xr sysctl 8 80variable may not be changed 81.It 82the 83.Va hw.allowpowerdown 84.Xr sysctl 8 85variable may not be changed 86.It 87the 88.Va net.inet.ip.sourceroute 89.Xr sysctl 8 90variable may not be changed 91.It 92the 93.Va machdep.kbdreset 94.Xr sysctl 8 95variable may not be changed 96.It 97the 98.Va ddb.console 99and 100.Va ddb.panic 101.Xr sysctl 8 102variables may not be raised 103.It 104the 105.Va machdep.allowaperture 106.Xr sysctl 8 107variable may not be raised 108.It 109.Xr gpioctl 8 110may only access GPIO pins configured at system startup 111.El 112.It \ 2 Em Highly secure mode 113.Bl -hyphen -compact 114.It 115all effects of securelevel 1 116.It 117raw disk devices are always read-only whether mounted or not 118.It 119.Xr settimeofday 2 120and 121.Xr clock_settime 2 122may not set the time backwards or close to overflow 123.It 124.Xr pf 4 125filter and NAT rules may not be altered 126.El 127.El 128.Pp 129Securelevel provides convenient means of 130.Dq locking down 131a system to a degree suited to its environment. 132It is normally set at boot via the 133.Xr rc.securelevel 8 134script, or the superuser may raise securelevel at any time by modifying the 135.Va kern.securelevel 136.Xr sysctl 8 137variable. 138However, only 139.Xr init 8 140may lower it once the system has entered secure mode. 141A kernel built with 142.Cm option INSECURE 143in the config file will default to permanently insecure mode. 144.Pp 145Highly secure mode may seem Draconian, but is intended as a last line of 146defence should the superuser account be compromised. 147Its effects preclude 148circumvention of file flags by direct modification of a raw disk device, 149or erasure of a file system by means of 150.Xr newfs 8 . 151Further, it can limit the potential damage of a compromised 152.Dq firewall 153by prohibiting the modification of packet filter rules. 154Preventing 155the system clock from being set backwards aids in post-mortem analysis 156and helps ensure the integrity of logs. 157Precision timekeeping is not 158affected because the clock may still be slowed. 159.Pp 160Because securelevel can be modified with the in-kernel debugger 161.Xr ddb 4 , 162a convenient means of locking it off (if present) is provided 163at securelevels 1 and 2. 164This is accomplished by setting 165.Va ddb.console 166and 167.Va ddb.panic 168to 0 with the 169.Xr sysctl 8 170utility. 171.Sh FILES 172.Bl -tag -width /etc/rc.securelevel -compact 173.It Pa /etc/rc.securelevel 174commands that run before the security level changes 175.El 176.Sh SEE ALSO 177.Xr options 4 , 178.Xr init 8 , 179.Xr rc 8 , 180.Xr sysctl 8 181.Sh HISTORY 182The 183.Nm 184manual page first appeared in 185.Ox 2.6 . 186.Sh BUGS 187The list of securelevel's effects may not be comprehensive. 188