1 This menu allows you to configure the Securelevel mechanism in FreeBSD.
3 Securelevels may be used to limit the privileges assigned to the
4 root user in multi-user mode, which in turn may limit the effects of
5 a root compromise, at the cost of reducing administrative functions.
6 Refer to the security(7) manual page for complete details.
8 -1 Permanently insecure mode - always run the system in level 0
9 mode. This is the default initial value.
11 0 Insecure mode - immutable and append-only flags may be turned
12 off. All devices may be read or written subject to their
15 1 Secure mode - the system immutable and system append-only
16 flags may not be turned off; disks for mounted file systems,
17 /dev/mem, and /dev/kmem may not be opened for writing; kernel
18 modules (see kld(4)) may not be loaded or unloaded.
20 2 Highly secure mode - same as secure mode, plus disks may not
21 be opened for writing (except by mount(2)) whether mounted or
22 not. This level precludes tampering with file systems by
23 unmounting them, but also inhibits running newfs(8) while the
26 In addition, kernel time changes are restricted to less than
27 or equal to one second. Attempts to change the time by more
28 than this will log the message ``Time adjustment clamped to +1
31 3 Network secure mode - same as highly secure mode, plus IP
32 packet filter rules (see ipfw(8) and ipfirewall(4)) cannot be
33 changed and dummynet(4) configuration cannot be adjusted.
35 Securelevels must be used in combination with careful system design and
36 application of protective mechanisms to prevent system configuration
37 files from being modified in a way that compromises the protections of
38 the securelevel variable upon reboot.
projects / FreeBSD / FreeBSD.git / blob