Do you use securelevel?

vivek

vivek

Most my boxes are running w/o securelevel. I do not run because:
a) Offers no real benefit. Sometime I need to mount something and I do not want to reboot the box.
b) Offers nothing but a false sense of security.

Do you agree?
 
I haven't run an elevated securelevel in a production environment yet. (Then again, I don't administer many FBSD servers.)

But I also don't agree with you. In keeping with the idea of "security in layers," securelevel offers some slick capabilities. The most compelling to me are: making certain binaries and config files really immutable; disallowing changes to packet filtering rulesets.
 
I elevate securelevel and mount everything read-only except /var and /tmp, once I haven't done any config changes to a production machine in a month or so. Works pretty good and you think twice about "optimizing" / "tweaking" a solidly working production machine.
 
vivek said:
Most my boxes are running w/o securelevel. I do not run because:
a) Offers no real benefit. Sometime I need to mount something and I do not want to reboot the box.
b) Offers nothing but a false sense of security.

Do you agree?
Click to expand...

No, I do not agree. Security levels itself are meaningless but in combination with flags, certain partition techniques, and meaningful fstab can improve your security a lot. Can they solve all your problems. No of course not.
 
Hi have a nagios server that monitors lots of servers (FreeBSD, Windows and linux boxes).

This nagios server is configured to use securelevels to avoid change of configuration files.

I also run every x hours a mtree script to be sure there is no file alterations, this is a critical box :)
 
vivek said:
Most my boxes are running w/o securelevel. I do not run because:
a) Offers no real benefit. Sometime I need to mount something and I do not want to reboot the box.
b) Offers nothing but a false sense of security.

Do you agree?
Click to expand...

Securelevels have their place. Your laptop or desktop workstation? No. Externally accessible server that bridges internal and external networks? Absolutely.

Read the security man page. It's well written and provides guidelines about securing a system via the layered onion approach. Remember, no machine is truly secure; it's all about mitigating risk.
 
Of course I use them - at Servers where binaries shouldn't be modified, specially in Jails with chflags.
At a workstation they're maybe useless, maybe
 
You must log in or register to reply here.
Back
Top