Date: Wed, 11 Feb 2004 16:13:05 +0100 (CET) From: roberto@redix.it To: "Nigel Houghton" <nigel@sourcefire.com> Cc: freebsd-security@freebsd.org Subject: Re: Question about securelevel Message-ID: <1293.192.168.0.77.1076512385.squirrel@mail.redix.it> In-Reply-To: <Pine.LNX.4.58.0402110748010.604@ragrecevfr.fsrat.fbheprsver.pbz> References: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it> <Pine.LNX.4.58.0402110748010.604@ragrecevfr.fsrat.fbheprsver.pbz>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Change the "console" line in /etc/ttys from "secure" to "insecure", that > will make your administrator enter the root password when booting to > single user. > > When using securelevel, you might also want to use a script to set the > immutable flag on various parts of the file system. > > There's also much more to securing a box than just using securelevel. > 1- OK I've already set console to insecure, I do not like the single user mode offer a shell without password. 2- But instead of set the immutable flags over several files, seems to me more simple (and not error prone) to set the root file system read-only (simple to do) and to find a way it could not be remounted rw while securelevel == 3! 3- OK agree with you: there's also much more to securing a box than just using securelevel, but using a securelevel+readonly file system, is a step foreward in security? Regards Roberto
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1293.192.168.0.77.1076512385.squirrel>