Neha Patil (Editor)

Securelevel

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit

securelevel is a security mechanism in *BSD kernels, which can optionally restrict certain capabilities. Securelevel is controlled by a sysctl variable kern.securelevel. This value is an integer, which set to a value > 0 enables certain class of restrictions. Any superuser process can raise securelevel, but only init process (and not even that on FreeBSD) can lower it.

When used with FreeBSD jails, each jail maintains its own securelevel in addition to the global securelevel. When evaluated, the higher of the two securelevels will be used. This allows the host environment to run at a lower securelevel than jails, so that it can manipulate file flags that the jails may not be able to.

When compiled with options REGRESSION, a new sysctl is added to the FreeBSD kernel that allows the securelevel to be lowered for the purposes of automated regression testing.

Securelevel is not to be confused with runlevel.

Definitions

On OpenBSD the securelevels are defined as follows:

  • -1 (Permanently insecure mode) is functionally identical to securelevel 0 except the Kernel will never attempt to increase the level as it would in level 0. This effectively disables securelevel protections.
  • 0 (Insecure mode) all devices can be read or written to (if they have appropriate permissions) and system file flags can be cleared using chflags. This mode is typically used while the system is booting, and once boot is completed and system enters multi-user mode, it is elevated to level 1.
  • 1 (Secure mode) this is the default mode when the system is booted into multi-user mode. In this mode the securelevel can not be lowered, the raw memory devices can not be written to, the raw devices of mounted file systems can not be written to, important kernel variables (such as fs.posix.setuid, hw.allowpowerdown, net.inet.ip.sourceroute, machdep.kbdreset, ddb.console, ddb.panic and machdep.allowaperture) are locked down and only GPIO pins that were present during boot may be accessed.
  • 2 (Highly secure mode) has the same effects are securelevel 1, and in addition raw disk devices can not be written to even if unmounted, certain time related functions are locked down so the time cannot be set in the past (to help ensure the times of actions recorded in the logs are useful) and pf rules may not be altered. This mode is designed to provide some semblance of defence in the event that the root user account is compromised.

    • References

    Securelevel Wikipedia
    (Text) CC BY-SA