This is the BSDA Study Guide Book written via a
This is a work in progress. You may contribute to or discuss this specific page at http://bsdwiki.reedmedia.net/wiki/Determine_the_system__39__s_security_level.html.
Determine the system's security level
BSD systems provide security profiles known as securelevels.
- Be able to recognize the restrictions set by each securelevel for each BSD operating system.
- Understand under what circumstances a securelevel can be raised or lowered.
The BSD kernels can limit -- even from the superuser -- a great number of common operations
in order to make a system extremely secure. A system secured in this way is said to be running in a high securelevel.
The five kernel securelevels are given in the
TODO: check each BSD
TODO: maybe put descriptor as bold here:
-1 Permanently insecure mode - always run the system in level 0 mode. This is the default initial value.
0 Insecure mode - immutable and append-only flags may be turned off. All devices may be read or written subject to their permissions.
1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted file systems,
/dev/io (if your platform has it) may not be opened for writing; kernel modules (see
kld(4)) may not be loaded or unloaded.
2 Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by
mount(2)) whether mounted or not. This level precludes tampering with file systems by unmounting them, but also inhibits running
newfs(8) while the system is multi-user. In addition, kernel time changes are restricted to less than or equal to one second. Attempts to change the time by more than this amount will log the message ``Time adjustment clamped to +1 second''.
3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see
pfctl(8)) cannot be changed and
pf(4) configuration cannot be adjusted.
The securelevel is set when
init brings the system up to multi-user mode, and can also be viewed and adjusted "on the fly" via the
kern.securelevel sysctl. Note that the securelevel can only be adjusted by the super-user, and can only be adjusted upward, that is, to a more secure level. No one can downgrade a system's securelevel while the system is running (it can be set to change at the next reboot, see below for details).
In addition, on NetBSD the verified exec in-kernel fingerprint table can't be modified.
You can look at current secure level via sysctl:
# sysctl kern.securelevel
Adding the following lines to
rc.conf will cause the system to set a securelevel of 2 on the next boot:
Note that setting securelevel to 0 will result in the system
booting with securelevel set to 1, as init(8) will raise the level when rc(8) completes.
File flags are covered in View and modify file flags.