Securelevel

Securelevels are security configurations that are set in the kernel. Changing the Securelevels defines how restrictive the system should be with regard to system changes.

Enable Securelevels at boot time by adding the following line to /etc/rc.conf:

kern_securelevel_enable="YES"

There are five Securelevels that you can switch between. The higher the Securelevel of your system, the more security features are added. Define the Securelevel by adding kern_securelevel=2 in rc.conf. Here it has been configured to Securelevel 2. After a system restart, the change is active.

In the following the consequences for the system are described for the respective Securelevel:

-1: Default, no additional kernel security.

0: A system that is set to Securelevel "0" only boots with Securelevel "-1" and automatically switches to Securelevel "1" when it reaches multi-user mode (standard operation mode). This is recommended if autostart scripts are used whose execution would be forbidden at Securelevel 1.

1: Provides some basic security functions:

• File flags cannot simply be turned off (see: File flags).
• The user cannot load and unload kernel modules.
• Programs cannot write to memory via devicenodes (/dev/mem and /dev/kmem).
• Devicenode /dev/io cannot be addressed.
• Debugging and panic of the system via the program sysctl is disabled.
• Writing to raw disk devices is prohibited.

2: Properties of "1" with additional properties:

• User cannot write to raw disk devices via devicenode.
• It is forbidden to change the system time by more than one second

3: Includes the features of security levels 1 and 2 and provides additional network security:

• Editing firewall rules is disabled.

Select the appropriate Securelevel

The choice of the Securelevel depends on your needs. If you are constantly making changes and need a flexible system, do not change anything and leave the default Securelevel (-1) active. If you hardly have to configure the system and the system is to be used in a productive environment, it is recommended to set the Securelevel higher. For systems in a production environment that do not require any further system changes, security level 2 is recommended. If your network is also already set and no further firewall changes are required, you can increase the Securelevel to 3.