Re-linewrap help file on securelevels in sysinstall: sysinstall is - src

diff options


context:
space:
mode:

author	Robert Watson <rwatson@FreeBSD.org>	2003-12-16 22:55:28 +0000
committer	Robert Watson <rwatson@FreeBSD.org>	2003-12-16 22:55:28 +0000
commit	1d1daa2f0023d3dbbdd866e5bbe838b3c85f961b (patch)
tree	0b8602e80a23422c2696f8ed6050685d793c16a9 /usr.sbin/sysinstall/help
parent	14d7f69797814aaf50a4be2f0d2bf5d411b3c673 (diff)

Notes

Diffstat (limited to 'usr.sbin/sysinstall/help')

-rw-r--r--

usr.sbin/sysinstall/help/securelevel.hlp

1 files changed, 21 insertions, 19 deletions

diff --git a/usr.sbin/sysinstall/help/securelevel.hlp b/usr.sbin/sysinstall/help/securelevel.hlp
index 44fa39b918ab..c0964e439d41 100644
--- a/usr.sbin/sysinstall/help/securelevel.hlp
+++ b/usr.sbin/sysinstall/help/securelevel.hlp

@@ -5,30 +5,32 @@ root user in multi-user mode, which in turn may limit the effects of

a root compromise, at the cost of reducing administrative functions.

Refer to the init(8) manual page for complete details.

- -1 Permanently insecure mode - always run the system in level 0 mode.

- This is the default initial value.

+ -1 Permanently insecure mode - always run the system in level 0

+ mode. This is the default initial value.

- 0 Insecure mode - immutable and append-only flags may be turned off.

- All devices may be read or written subject to their permissions.

+ 0 Insecure mode - immutable and append-only flags may be turned

+ off. All devices may be read or written subject to their

+ permissions.

- 1 Secure mode - the system immutable and system append-only flags may

- not be turned off; disks for mounted file systems, /dev/mem, and

- /dev/kmem may not be opened for writing; kernel modules (see

- kld(4)) may not be loaded or unloaded.

+ 1 Secure mode - the system immutable and system append-only

+ flags may not be turned off; disks for mounted file systems,

+ /dev/mem, and /dev/kmem may not be opened for writing; kernel

+ modules (see kld(4)) may not be loaded or unloaded.

- 2 Highly secure mode - same as secure mode, plus disks may not be

- opened for writing (except by mount(2)) whether mounted or not.

- This level precludes tampering with file systems by unmounting

- them, but also inhibits running newfs(8) while the system is multi-

- user.

+ 2 Highly secure mode - same as secure mode, plus disks may not

+ be opened for writing (except by mount(2)) whether mounted or

+ not. This level precludes tampering with file systems by

+ unmounting them, but also inhibits running newfs(8) while the

+ system is multi- user.

- In addition, kernel time changes are restricted to less than or

- equal to one second. Attempts to change the time by more than this

- will log the message ``Time adjustment clamped to +1 second''.

+ In addition, kernel time changes are restricted to less than

+ or equal to one second. Attempts to change the time by more

+ than this will log the message ``Time adjustment clamped to +1

+ second''.

- 3 Network secure mode - same as highly secure mode, plus IP packet

- filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and

- dummynet(4) configuration cannot be adjusted.

+ 3 Network secure mode - same as highly secure mode, plus IP

+ packet filter rules (see ipfw(8) and ipfirewall(4)) cannot be

+ changed and dummynet(4) configuration cannot be adjusted.

Securelevels must be used in combination with careful system design and

application of protective mechanisms to prevent system configuration