Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | BSD Secure Levels Linux Security Module |
2 | Michael A. Halcrow <mike@halcrow.us> | |
3 | ||
4 | ||
5 | Introduction | |
6 | ||
7 | Under the BSD Secure Levels security model, sets of policies are | |
8 | associated with levels. Levels range from -1 to 2, with -1 being the | |
9 | weakest and 2 being the strongest. These security policies are | |
10 | enforced at the kernel level, so not even the superuser is able to | |
11 | disable or circumvent them. This hardens the machine against attackers | |
12 | who gain root access to the system. | |
13 | ||
14 | ||
15 | Levels and Policies | |
16 | ||
17 | Level -1 (Permanently Insecure): | |
18 | - Cannot increase the secure level | |
19 | ||
20 | Level 0 (Insecure): | |
21 | - Cannot ptrace the init process | |
22 | ||
23 | Level 1 (Default): | |
24 | - /dev/mem and /dev/kmem are read-only | |
25 | - IMMUTABLE and APPEND extended attributes, if set, may not be unset | |
26 | - Cannot load or unload kernel modules | |
27 | - Cannot write directly to a mounted block device | |
28 | - Cannot perform raw I/O operations | |
29 | - Cannot perform network administrative tasks | |
30 | - Cannot setuid any file | |
31 | ||
32 | Level 2 (Secure): | |
33 | - Cannot decrement the system time | |
34 | - Cannot write to any block device, whether mounted or not | |
35 | - Cannot unmount any mounted filesystems | |
36 | ||
37 | ||
38 | Compilation | |
39 | ||
40 | To compile the BSD Secure Levels LSM, seclvl.ko, enable the | |
41 | SECURITY_SECLVL configuration option. This is found under Security | |
42 | options -> BSD Secure Levels in the kernel configuration menu. | |
43 | ||
44 | ||
45 | Basic Usage | |
46 | ||
47 | Once the machine is in a running state, with all the necessary modules | |
48 | loaded and all the filesystems mounted, you can load the seclvl.ko | |
49 | module: | |
50 | ||
51 | # insmod seclvl.ko | |
52 | ||
53 | The module defaults to secure level 1, except when compiled directly | |
54 | into the kernel, in which case it defaults to secure level 0. To raise | |
55 | the secure level to 2, the administrator writes ``2'' to the | |
56 | seclvl/seclvl file under the sysfs mount point (assumed to be /sys in | |
57 | these examples): | |
58 | ||
59 | # echo -n "2" > /sys/seclvl/seclvl | |
60 | ||
61 | Alternatively, you can initialize the module at secure level 2 with | |
62 | the initlvl module parameter: | |
63 | ||
64 | # insmod seclvl.ko initlvl=2 | |
65 | ||
66 | At this point, it is impossible to remove the module or reduce the | |
67 | secure level. If the administrator wishes to have the option of doing | |
68 | so, he must provide a module parameter, sha1_passwd, that specifies | |
69 | the SHA1 hash of the password that can be used to reduce the secure | |
70 | level to 0. | |
71 | ||
72 | To generate this SHA1 hash, the administrator can use OpenSSL: | |
73 | ||
74 | # echo -n "boogabooga" | openssl sha1 | |
75 | abeda4e0f33defa51741217592bf595efb8d289c | |
76 | ||
77 | In order to use password-instigated secure level reduction, the SHA1 | |
78 | crypto module must be loaded or compiled into the kernel: | |
79 | ||
80 | # insmod sha1.ko | |
81 | ||
82 | The administrator can then insmod the seclvl module, including the | |
83 | SHA1 hash of the password: | |
84 | ||
85 | # insmod seclvl.ko | |
86 | sha1_passwd=abeda4e0f33defa51741217592bf595efb8d289c | |
87 | ||
88 | To reduce the secure level, write the password to seclvl/passwd under | |
89 | your sysfs mount point: | |
90 | ||
91 | # echo -n "boogabooga" > /sys/seclvl/passwd | |
92 | ||
93 | The September 2004 edition of Sys Admin Magazine has an article about | |
94 | the BSD Secure Levels LSM. I encourage you to refer to that article | |
95 | for a more in-depth treatment of this security module: | |
96 | ||
97 | http://www.samag.com/documents/s=9304/sam0409a/0409a.htm |