Hi gang,
Still on FreeBSD-9.1-RELEASE-p4.
The search for more security continues and this time I focussed my attention on the kernel security level (see part 15.3.5).
You can set this security level by using either sysctl or by adding a command to /etc/rc.conf, which I did:
But the moment I had these two lines included I started to see oddities whenever checking my Apache configuration:
I traced this back to the /usr/sbin/service script which is also used by apachectl (which in its turn is another script):
At first I suspected this to be somewhat of a bug in the service script because if the script would detect an error I'd expected completely different output:
However, I just discovered that there's much more to this than I anticipated. Although the documentation claims that the lines I added to rc.conf are correct it turns out that they're not.
After rebooting my Chihiro server to confirm my suspicions I got several errors regarding these lines during boot, and after the boot process the kernel security level remained at -1:
My question: where is this going wrong?
My first assumption is obviously the documentation, but surely you should be able to set this up during boot as well? So right now my guess is that the author of that article could be assuming that people use a customized kernel whereas I'm not.
Yet that doesn't make too much sense either since changing the kernel security level should be something supported by the standard kernel as well (at least that's what I came to expect).
Does anyone have a clue as to what is going on here?
Still on FreeBSD-9.1-RELEASE-p4.
The search for more security continues and this time I focussed my attention on the kernel security level (see part 15.3.5).
You can set this security level by using either sysctl or by adding a command to /etc/rc.conf, which I did:
Code:
# Security settings; kernel control & system accounting
kern_securelevel_enable = "YES"
kern_securelevel = "1"
#accounting_enable = "YES"
Code:
root@chihiro:/home/peter # apachectl configtest
/etc/rc.conf: kern_securelevel_enable: not found
/etc/rc.conf: kern_securelevel: not found
/etc/rc.conf: kern_securelevel_enable: not found
/etc/rc.conf: kern_securelevel: not found
Performing sanity check on apache22 configuration:
Syntax OK
Code:
root@chihiro:/home/peter # service apache22 status
/etc/rc.conf: kern_securelevel_enable: not found
/etc/rc.conf: kern_securelevel: not found
/etc/rc.conf: kern_securelevel_enable: not found
/etc/rc.conf: kern_securelevel: not found
apache22 is running as pid 1227.
Code:
$ tail -6 `which service`
done
# If the script was not found
echo "$script does not exist in /etc/rc.d or the local startup"
echo "directories (${local_startup})"
exit 1After rebooting my Chihiro server to confirm my suspicions I got several errors regarding these lines during boot, and after the boot process the kernel security level remained at -1:
Code:
$ dmesg -a | grep secure
/etc/rc.conf: kern_securelevel_enable: not found
/etc/rc.conf: kern_securelevel: not found
/etc/rc.conf: kern_securelevel_enable: not found
/etc/rc.conf: kern_securelevel: not found
/etc/rc.conf: kern_securelevel_enable: not found
/etc/rc.conf: kern_securelevel: not foundMy question: where is this going wrong?
My first assumption is obviously the documentation, but surely you should be able to set this up during boot as well? So right now my guess is that the author of that article could be assuming that people use a customized kernel whereas I'm not.
Yet that doesn't make too much sense either since changing the kernel security level should be something supported by the standard kernel as well (at least that's what I came to expect).
Does anyone have a clue as to what is going on here?
The /etc/rc.conf file is just a /bin/sh script and the syntax requirements for the assignments are the same as with shell variables.