diff options
Diffstat (limited to 'static/openbsd/man7/securelevel.7')
| -rw-r--r-- | static/openbsd/man7/securelevel.7 | 167 |
1 files changed, 167 insertions, 0 deletions
diff --git a/static/openbsd/man7/securelevel.7 b/static/openbsd/man7/securelevel.7 new file mode 100644 index 00000000..b26ff052 --- /dev/null +++ b/static/openbsd/man7/securelevel.7 @@ -0,0 +1,167 @@ +.\" $OpenBSD: securelevel.7,v 1.32 2025/04/29 17:44:00 jmc Exp $ +.\" +.\" Copyright (c) 2000 Hugh Graham +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: April 29 2025 $ +.Dt SECURELEVEL 7 +.Os +.Sh NAME +.Nm securelevel +.Nd securelevel and its effects +.Sh DESCRIPTION +The +.Ox +kernel provides four levels of system security: +.Bl -tag -width flag +.It \&-1 Em Permanently insecure mode +.Bl -hyphen -compact +.It +.Xr init 8 +will not attempt to raise the securelevel +.It +may only be set with +.Xr sysctl 8 +while the system is insecure +.It +otherwise identical to securelevel 0 +.El +.It \ 0 Em Insecure mode +.Bl -hyphen -compact +.It +used during bootstrapping and while the system is single-user +.It +all devices may be read or written subject to their permissions +.It +system file flags may be cleared with +.Xr chflags 2 +.El +.It \ 1 Em Secure mode +.Bl -hyphen -compact +.It +default mode when system is multi-user +.It +securelevel may no longer be lowered except by init +.It +.Pa /dev/mem +and +.Pa /dev/kmem +cannot be opened +.It +raw disk devices of mounted file systems are read-only +.It +system immutable and append-only file flags may not be removed +.It +the +.Va hw.allowpowerdown , +.Va kern.allowkmem , +.Va kern.utc_offset , +.Va net.inet.ip.sourceroute , +and +.Va machdep.kbdreset +.Xr sysctl 8 +variables may not be changed +.It +the +.Va ddb.console , +.Va ddb.panic , +and +.Va machdep.allowaperture +.Xr sysctl 8 +variables may not be raised +.It +.Xr gpioctl 8 +may only access GPIO pins configured at system startup +.El +.It \ 2 Em Highly secure mode +.Bl -hyphen -compact +.It +all effects of securelevel 1 +.It +raw disk devices are always read-only whether mounted or not +.It +.Xr settimeofday 2 +and +.Xr clock_settime 2 +may not set the time backwards or close to overflow +.It +.Xr pf 4 +filter and NAT rules may not be altered +.El +.El +.Pp +Securelevel provides convenient means of +.Dq locking down +a system to a degree suited to its environment. +It is normally set at boot by +.Xr rc 8 , +or the superuser may raise securelevel at any time by modifying the +.Va kern.securelevel +.Xr sysctl 8 +variable. +However, only +.Xr init 8 +may lower it once the system has entered secure mode. +.Pp +Highly secure mode may seem Draconian, but is intended as a last line of +defence should the superuser account be compromised. +Its effects preclude +circumvention of file flags by direct modification of a raw disk device, +or erasure of a file system by means of +.Xr newfs 8 . +Further, it can limit the potential damage of a compromised +.Dq firewall +by prohibiting the modification of packet filter rules. +Preventing +the system clock from being set backwards aids in post-mortem analysis +and helps ensure the integrity of logs. +Precision timekeeping is not +affected because the clock may still be slowed. +.Pp +Because securelevel can be modified with the in-kernel debugger +.Xr ddb 4 , +a convenient means of locking it off (if present) is provided +at securelevels 1 and 2. +This is accomplished by setting +.Va ddb.console +and +.Va ddb.panic +to 0 with the +.Xr sysctl 8 +utility. +.Sh FILES +.Bl -tag -width /etc/rc.securelevel -compact +.It Pa /etc/rc.securelevel +commands that run before the security level changes +.El +.Sh SEE ALSO +.Xr init 8 , +.Xr rc 8 , +.Xr sysctl 8 +.Sh HISTORY +The +.Nm +manual page first appeared in +.Ox 2.6 . +.Sh BUGS +The list of securelevel's effects may not be comprehensive. |