# Do you use securelevel?



## vivek (Mar 17, 2009)

Most my boxes are running w/o securelevel. I do not run because:
a) Offers no real benefit. Sometime I need to mount something and I do not want to reboot the box.
b) Offers nothing but a false sense of security. 

Do you agree?


----------



## anomie (Mar 17, 2009)

I haven't run an elevated securelevel in a production environment yet. (Then again, I don't administer many FBSD servers.) 

But I also don't agree with you. In keeping with the idea of "security in layers," securelevel offers some slick capabilities. The most compelling to me are: making certain binaries and config files _really_ immutable; disallowing changes to packet filtering rulesets.


----------



## Mel_Flynn (Mar 18, 2009)

I elevate securelevel and mount everything read-only except /var and /tmp, once I haven't done any config changes to a production machine in a month or so. Works pretty good and you think twice about "optimizing" / "tweaking" a solidly working production machine.


----------



## Oko (Mar 18, 2009)

vivek said:
			
		

> Most my boxes are running w/o securelevel. I do not run because:
> a) Offers no real benefit. Sometime I need to mount something and I do not want to reboot the box.
> b) Offers nothing but a false sense of security.
> 
> Do you agree?



No, I do not agree. Security levels itself are meaningless but in combination with flags, certain partition techniques, and meaningful fstab can improve your security a lot. Can they solve all your problems. No of course not.


----------



## Maurovale (Mar 21, 2009)

Hi have a nagios server that monitors lots of servers (FreeBSD, Windows and linux boxes).

This nagios server is configured to use  securelevels to avoid change of configuration files.

I also run every x hours a mtree script to be sure there is no file alterations, this is a critical box


----------



## gordon@ (Mar 30, 2009)

vivek said:
			
		

> Most my boxes are running w/o securelevel. I do not run because:
> a) Offers no real benefit. Sometime I need to mount something and I do not want to reboot the box.
> b) Offers nothing but a false sense of security.
> 
> Do you agree?



Securelevels have their place. Your laptop or desktop workstation? No. Externally accessible server that bridges internal and external networks? Absolutely.

Read the security man page. It's well written and provides guidelines about securing a system via the layered onion approach. Remember, no machine is truly secure; it's all about mitigating risk.


----------



## rghq (Mar 30, 2009)

Of course I use them - at Servers where binaries shouldn't be modified, specially in Jails with chflags.
At a workstation they're maybe useless, maybe


----------

