/Documentation/seclvl.txt
Plain Text | 97 lines | 66 code | 31 blank | 0 comment | 0 complexity | bc64b7d1aff0714839aa92d80ba9ff25 MD5 | raw file
1BSD Secure Levels Linux Security Module 2Michael A. Halcrow <mike@halcrow.us> 3 4 5Introduction 6 7Under the BSD Secure Levels security model, sets of policies are 8associated with levels. Levels range from -1 to 2, with -1 being the 9weakest and 2 being the strongest. These security policies are 10enforced at the kernel level, so not even the superuser is able to 11disable or circumvent them. This hardens the machine against attackers 12who gain root access to the system. 13 14 15Levels and Policies 16 17Level -1 (Permanently Insecure): 18 - Cannot increase the secure level 19 20Level 0 (Insecure): 21 - Cannot ptrace the init process 22 23Level 1 (Default): 24 - /dev/mem and /dev/kmem are read-only 25 - IMMUTABLE and APPEND extended attributes, if set, may not be unset 26 - Cannot load or unload kernel modules 27 - Cannot write directly to a mounted block device 28 - Cannot perform raw I/O operations 29 - Cannot perform network administrative tasks 30 - Cannot setuid any file 31 32Level 2 (Secure): 33 - Cannot decrement the system time 34 - Cannot write to any block device, whether mounted or not 35 - Cannot unmount any mounted filesystems 36 37 38Compilation 39 40To compile the BSD Secure Levels LSM, seclvl.ko, enable the 41SECURITY_SECLVL configuration option. This is found under Security 42options -> BSD Secure Levels in the kernel configuration menu. 43 44 45Basic Usage 46 47Once the machine is in a running state, with all the necessary modules 48loaded and all the filesystems mounted, you can load the seclvl.ko 49module: 50 51# insmod seclvl.ko 52 53The module defaults to secure level 1, except when compiled directly 54into the kernel, in which case it defaults to secure level 0. To raise 55the secure level to 2, the administrator writes ``2'' to the 56seclvl/seclvl file under the sysfs mount point (assumed to be /sys in 57these examples): 58 59# echo -n "2" > /sys/seclvl/seclvl 60 61Alternatively, you can initialize the module at secure level 2 with 62the initlvl module parameter: 63 64# insmod seclvl.ko initlvl=2 65 66At this point, it is impossible to remove the module or reduce the 67secure level. If the administrator wishes to have the option of doing 68so, he must provide a module parameter, sha1_passwd, that specifies 69the SHA1 hash of the password that can be used to reduce the secure 70level to 0. 71 72To generate this SHA1 hash, the administrator can use OpenSSL: 73 74# echo -n "boogabooga" | openssl sha1 75abeda4e0f33defa51741217592bf595efb8d289c 76 77In order to use password-instigated secure level reduction, the SHA1 78crypto module must be loaded or compiled into the kernel: 79 80# insmod sha1.ko 81 82The administrator can then insmod the seclvl module, including the 83SHA1 hash of the password: 84 85# insmod seclvl.ko 86 sha1_passwd=abeda4e0f33defa51741217592bf595efb8d289c 87 88To reduce the secure level, write the password to seclvl/passwd under 89your sysfs mount point: 90 91# echo -n "boogabooga" > /sys/seclvl/passwd 92 93The September 2004 edition of Sys Admin Magazine has an article about 94the BSD Secure Levels LSM. I encourage you to refer to that article 95for a more in-depth treatment of this security module: 96 97http://www.samag.com/documents/s=9304/sam0409a/0409a.htm