1.\" $OpenBSD: securelevel.7,v 1.21 2007/06/01 16:56:26 jmc Exp $ 2.\" 3.\" Copyright (c) 2000 Hugh Graham 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 15.\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF 16.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17.\" IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 18.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 19.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 20.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 22.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 23.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 24.\" POSSIBILITY OF SUCH DAMAGE. 25.\" 26.Dd $Mdocdate: June 1 2007 $ 27.Dt SECURELEVEL 7 28.Os 29.Sh NAME 30.Nm securelevel 31.Nd securelevel and its effects 32.Sh DESCRIPTION 33The 34.Ox 35kernel provides four levels of system security: 36.Bl -tag -width flag 37.It \&-1 Em Permanently insecure mode 38.Bl -hyphen -compact 39.It 40.Xr init 8 41will not attempt to raise the securelevel 42.It 43may only be set with 44.Xr sysctl 8 45while the system is insecure 46.It 47otherwise identical to securelevel 0 48.El 49.It \ 0 Em Insecure mode 50.Bl -hyphen -compact 51.It 52used during bootstrapping and while the system is single-user 53.It 54all devices may be read or written subject to their permissions 55.It 56system file flags may be cleared 57.El 58.It \ 1 Em Secure mode 59.Bl -hyphen -compact 60.It 61default mode when system is multi-user 62.It 63securelevel may no longer be lowered except by init 64.It 65.Pa /dev/mem 66and 67.Pa /dev/kmem 68may not be written to 69.It 70raw disk devices of mounted file systems are read-only 71.It 72system immutable and append-only file flags may not be removed 73.It 74kernel modules may not be loaded or unloaded 75.It 76the 77.Va fs.posix.setuid 78.Xr sysctl 8 79variable may not be changed 80.It 81the 82.Va net.inet.ip.sourceroute 83.Xr sysctl 8 84variable may not be changed 85.It 86the 87.Va machdep.kbdreset 88.Xr sysctl 8 89variable may not be changed 90.It 91the 92.Va ddb.console 93and 94.Va ddb.panic 95.Xr sysctl 8 96variables may not be raised 97.It 98the 99.Va machdep.allowaperture 100.Xr sysctl 8 101variable may not be raised 102.El 103.It \ 2 Em Highly secure mode 104.Bl -hyphen -compact 105.It 106all effects of securelevel 1 107.It 108raw disk devices are always read-only whether mounted or not 109.It 110.Xr settimeofday 2 111and 112.Xr clock_settime 2 113may not set the time backwards or close to overflow 114.It 115.Xr pf 4 116filter and NAT rules may not be altered 117.El 118.El 119.Pp 120Securelevel provides convenient means of 121.Dq locking down 122a system to a degree suited to its environment. 123It is normally set at boot via the 124.Xr rc.securelevel 8 125script, or the superuser may raise securelevel at any time by modifying the 126.Va kern.securelevel 127.Xr sysctl 8 128variable. 129However, only 130.Xr init 8 131may lower it once the system has entered secure mode. 132A kernel built with 133.Cm option INSECURE 134in the config file will default to permanently insecure mode. 135.Pp 136Highly secure mode may seem Draconian, but is intended as a last line of 137defence should the superuser account be compromised. 138Its effects preclude 139circumvention of file flags by direct modification of a raw disk device, 140or erasure of a file system by means of 141.Xr newfs 8 . 142Further, it can limit the potential damage of a compromised 143.Dq firewall 144by prohibiting the modification of packet filter rules. 145Preventing 146the system clock from being set backwards aids in post-mortem analysis 147and helps ensure the integrity of logs. 148Precision timekeeping is not 149affected because the clock may still be slowed. 150.Pp 151Because securelevel can be modified with the in-kernel debugger 152.Xr ddb 4 , 153a convenient means of locking it off (if present) is provided 154at securelevels 1 and 2. 155This is accomplished by setting 156.Va ddb.console 157and 158.Va ddb.panic 159to 0 with the 160.Xr sysctl 8 161utility. 162.Sh FILES 163.Bl -tag -width /etc/rc.securelevel -compact 164.It Pa /etc/rc.securelevel 165commands that run before the security level changes 166.El 167.Sh SEE ALSO 168.Xr chflags 2 , 169.Xr settimeofday 2 , 170.Xr mem 4 , 171.Xr options 4 , 172.Xr init 8 , 173.Xr rc 8 , 174.Xr sysctl 8 175.Sh HISTORY 176The 177.Nm 178manual page first appeared in 179.Ox 2.6 . 180.Sh BUGS 181The list of securelevel's effects may not be comprehensive. 182