diff options
Diffstat (limited to 'Documentation/seclvl.txt')
-rw-r--r-- | Documentation/seclvl.txt | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/Documentation/seclvl.txt b/Documentation/seclvl.txt new file mode 100644 index 000000000000..97274d122d0e --- /dev/null +++ b/Documentation/seclvl.txt | |||
@@ -0,0 +1,97 @@ | |||
1 | BSD Secure Levels Linux Security Module | ||
2 | Michael A. Halcrow <mike@halcrow.us> | ||
3 | |||
4 | |||
5 | Introduction | ||
6 | |||
7 | Under the BSD Secure Levels security model, sets of policies are | ||
8 | associated with levels. Levels range from -1 to 2, with -1 being the | ||
9 | weakest and 2 being the strongest. These security policies are | ||
10 | enforced at the kernel level, so not even the superuser is able to | ||
11 | disable or circumvent them. This hardens the machine against attackers | ||
12 | who gain root access to the system. | ||
13 | |||
14 | |||
15 | Levels and Policies | ||
16 | |||
17 | Level -1 (Permanently Insecure): | ||
18 | - Cannot increase the secure level | ||
19 | |||
20 | Level 0 (Insecure): | ||
21 | - Cannot ptrace the init process | ||
22 | |||
23 | Level 1 (Default): | ||
24 | - /dev/mem and /dev/kmem are read-only | ||
25 | - IMMUTABLE and APPEND extended attributes, if set, may not be unset | ||
26 | - Cannot load or unload kernel modules | ||
27 | - Cannot write directly to a mounted block device | ||
28 | - Cannot perform raw I/O operations | ||
29 | - Cannot perform network administrative tasks | ||
30 | - Cannot setuid any file | ||
31 | |||
32 | Level 2 (Secure): | ||
33 | - Cannot decrement the system time | ||
34 | - Cannot write to any block device, whether mounted or not | ||
35 | - Cannot unmount any mounted filesystems | ||
36 | |||
37 | |||
38 | Compilation | ||
39 | |||
40 | To compile the BSD Secure Levels LSM, seclvl.ko, enable the | ||
41 | SECURITY_SECLVL configuration option. This is found under Security | ||
42 | options -> BSD Secure Levels in the kernel configuration menu. | ||
43 | |||
44 | |||
45 | Basic Usage | ||
46 | |||
47 | Once the machine is in a running state, with all the necessary modules | ||
48 | loaded and all the filesystems mounted, you can load the seclvl.ko | ||
49 | module: | ||
50 | |||
51 | # insmod seclvl.ko | ||
52 | |||
53 | The module defaults to secure level 1, except when compiled directly | ||
54 | into the kernel, in which case it defaults to secure level 0. To raise | ||
55 | the secure level to 2, the administrator writes ``2'' to the | ||
56 | seclvl/seclvl file under the sysfs mount point (assumed to be /sys in | ||
57 | these examples): | ||
58 | |||
59 | # echo -n "2" > /sys/seclvl/seclvl | ||
60 | |||
61 | Alternatively, you can initialize the module at secure level 2 with | ||
62 | the initlvl module parameter: | ||
63 | |||
64 | # insmod seclvl.ko initlvl=2 | ||
65 | |||
66 | At this point, it is impossible to remove the module or reduce the | ||
67 | secure level. If the administrator wishes to have the option of doing | ||
68 | so, he must provide a module parameter, sha1_passwd, that specifies | ||
69 | the SHA1 hash of the password that can be used to reduce the secure | ||
70 | level to 0. | ||
71 | |||
72 | To generate this SHA1 hash, the administrator can use OpenSSL: | ||
73 | |||
74 | # echo -n "boogabooga" | openssl sha1 | ||
75 | abeda4e0f33defa51741217592bf595efb8d289c | ||
76 | |||
77 | In order to use password-instigated secure level reduction, the SHA1 | ||
78 | crypto module must be loaded or compiled into the kernel: | ||
79 | |||
80 | # insmod sha1.ko | ||
81 | |||
82 | The administrator can then insmod the seclvl module, including the | ||
83 | SHA1 hash of the password: | ||
84 | |||
85 | # insmod seclvl.ko | ||
86 | sha1_passwd=abeda4e0f33defa51741217592bf595efb8d289c | ||
87 | |||
88 | To reduce the secure level, write the password to seclvl/passwd under | ||
89 | your sysfs mount point: | ||
90 | |||
91 | # echo -n "boogabooga" > /sys/seclvl/passwd | ||
92 | |||
93 | The September 2004 edition of Sys Admin Magazine has an article about | ||
94 | the BSD Secure Levels LSM. I encourage you to refer to that article | ||
95 | for a more in-depth treatment of this security module: | ||
96 | |||
97 | http://www.samag.com/documents/s=9304/sam0409a/0409a.htm | ||