System Security Profiles and Kernel Security (Securelevels)
| Prior to FreeBSD 5.0, FreeBSD was configured to provide a layer of security over its kernel and user process with a mechanism called Securelevels. You chose a securelevel setting at the time you installed FreeBSD, and it enforced protections such as setting the "immutable" flag on the kernel such that even root couldn't delete or overwrite it. Securelevels have, unfortunately, been proven to be ineffectual (details are at http://www.securiteam.com/unixfocus/5NP0G0AHFC.html), and the securelevel setting has been removed from the standard installation and system configuration procedures in modern versions of FreeBSD. However, the functionality of Securelevels is still present in FreeBSD, and you can still enable it if you want; you might also be responsible for maintaining a legacy FreeBSD system that was configured with what protection Securelevels does provide, which means you need to understand how the feature interacts with your system's operation. This section explains the concepts behind Securelevels for the benefit of such users.
The FreeBSD kernel runs with five different levels of security, controlled by the kern_securelevel option in /etc/rc.conflevels 1 through 3. Each of these settings corresponds to a profile that controls such things as whether the kernel can be replaced on the disk, whether kernel modules can be loaded or unloaded, whether certain file permissions and flags can be set or altered, and whether filesystems can be mounted on demand. The profile also controls whether utilities such as the IPFW built-in firewall can be disabled or modified (you learn more about IPFW later in this chapter). As you learned in Chapter 18, "Kernel Configuration," you can raise the securelevel setting only during runtimeyou can never lower it, except by rebooting. More information on kernel security can be found in man securelevel. During installation, you saw a second multilevel network security profile set in FreeBSD. You can see it again in Sysinstall, under Configure, followed by Security. This menu allows you to choose one of two different systemwide security profiles: Medium or Extreme. These profiles control whether services such as Sendmail, sshd, and inetd should be run, and they also have a very rough correspondence to the kernel security levels. Table 30.1 shows a breakdown of each of these security profiles and what options each sets in /etc/rc.conf. The table also includes the Low and High security profiles, which existed until FreeBSD 4.6; if your system was originally installed with an earlier version, you will probably see all four profiles.
As you might expect, the Extreme profile is restrictivealmost to the point of making the system unusable. The kernel securelevel is set to 2, meaning that the kernel can't be modified (with kernel modules) or replaced without rebooting into single-user mode; the only way to mount or unmount filesystems is explicitly with the mount and umount commands (implicit, on-demand mounting, as with amd, is not allowed). Additionally, inetd, Sendmail, sshd, the NFS server, and other services are not enabled. The High profile is a little less restrictive, with a securelevel of 1, meaning that filesystems are more easily mountable but the kernel still cannot be modified. Sendmail and sshd are enabled, but the rest of the services from the Extreme profile are not. Of course, because the security profiles work purely by setting options in /etc/rc.conf, you can mix the settings from Table 30.1 to your taste, creating a security profile that fits the model by which you're running your system. Caution Generally, you should never enable a service that you don't think you'll need. If it doesn't serve a useful purpose for you, it is at best useless; at worst, it offers a security vulnerability that opens your system up to security breaches. Therefore, you should play it safe wherever possible. |
