How to Configure Kernel Secure Levels on FreeBSD Operating System

by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  6 minute read  

FreeBSD is a powerful, open-source Unix-like operating system known for its robustness, scalability, and security features. One of the key security mechanisms in FreeBSD is the concept of kernel secure levels. Kernel secure levels provide a way to enforce restrictions on certain system operations, making it more difficult for an attacker to compromise the system. This article will provide a detailed guide on how to configure kernel secure levels on FreeBSD, including an explanation of what secure levels are, how they work, and how to manage them effectively.

Understanding Kernel Secure Levels

What Are Kernel Secure Levels?

Kernel secure levels in FreeBSD are a security feature that restricts certain operations on the system based on the current secure level. The secure level is an integer value that ranges from -1 to 3, with each level imposing increasingly strict restrictions on system operations. The secure level can only be increased, not decreased, which means that once the system enters a higher secure level, it cannot be lowered without rebooting the system.

Secure Level Definitions

Here is a brief overview of the different secure levels and their implications:

  • Secure Level -1 (Permanently Insecure Mode): This is the default secure level when the system is in single-user mode. At this level, there are no restrictions, and all operations are allowed. This level is intended for system recovery and maintenance.

  • Secure Level 0 (Insecure Mode): This is the default secure level when the system is in multi-user mode. At this level, most operations are allowed, but certain potentially dangerous operations, such as loading kernel modules, are restricted.

  • Secure Level 1 (Secure Mode): At this level, the system becomes more restrictive. For example, the system will not allow the modification of certain files, such as kernel memory, and will prevent the loading of kernel modules.

  • Secure Level 2 (Highly Secure Mode): At this level, the system becomes even more restrictive. In addition to the restrictions imposed by secure level 1, the system will prevent the modification of certain system files, such as /etc/rc.conf, and will restrict the use of certain system calls.

  • Secure Level 3 (Network Secure Mode): This is the highest secure level. At this level, the system imposes the most stringent restrictions, including preventing the modification of any files on the system and restricting network operations.

Why Use Kernel Secure Levels?

Kernel secure levels are an important tool for enhancing the security of a FreeBSD system. By increasing the secure level, you can limit the ability of an attacker to modify the system, even if they gain access to a privileged account. This can help to prevent the installation of rootkits, the modification of critical system files, and other malicious activities.

Configuring Kernel Secure Levels

Checking the Current Secure Level

Before configuring the secure level, it is important to check the current secure level of the system. You can do this using the sysctl command:

sysctl kern.securelevel

This command will output the current secure level. For example, if the output is kern.securelevel: 0, the system is currently at secure level 0.

Setting the Secure Level at Boot Time

The secure level can be set at boot time by adding the kern_securelevel_enable and kern_securelevel variables to the /etc/rc.conf file. The kern_securelevel_enable variable enables the secure level mechanism, and the kern_securelevel variable sets the desired secure level.

For example, to set the secure level to 1 at boot time, add the following lines to /etc/rc.conf:

kern_securelevel_enable="YES"
kern_securelevel="1"

After making these changes, reboot the system to apply the new secure level.

Changing the Secure Level at Runtime

Once the system is running, the secure level can only be increased, not decreased. To increase the secure level, you can use the sysctl command. For example, to increase the secure level from 0 to 1, you would run:

sysctl kern.securelevel=1

Note that this command can only be executed by the root user, and the secure level can only be increased, not decreased.

Managing Secure Level Restrictions

When the secure level is increased, certain operations become restricted. It is important to understand these restrictions and how they may impact the operation of the system.

File Modifications

At secure level 1 and above, the system prevents the modification of certain files, such as kernel memory and certain system files. This can impact the ability to perform system maintenance and updates. For example, you may not be able to modify the /etc/rc.conf file or load kernel modules.

To work around these restrictions, you may need to temporarily lower the secure level by rebooting the system into single-user mode, where the secure level is set to -1. Once the necessary changes have been made, you can reboot the system back into multi-user mode with the desired secure level.

Network Operations

At secure level 3, the system imposes restrictions on network operations. For example, the system will prevent the modification of network configuration files and restrict the use of certain network-related system calls. This can impact the ability to configure network interfaces and services.

If you need to perform network-related tasks at secure level 3, you may need to temporarily lower the secure level by rebooting the system into single-user mode.

Best Practices for Using Kernel Secure Levels

While kernel secure levels can enhance the security of a FreeBSD system, they should be used with caution. Here are some best practices for using kernel secure levels:

  1. Start with a Lower Secure Level: When first configuring secure levels, start with a lower secure level (e.g., 1) and gradually increase the level as needed. This will allow you to identify any potential issues before they become critical.

  2. Test in a Controlled Environment: Before deploying a system with a high secure level, test the configuration in a controlled environment to ensure that all necessary operations can be performed without issue.

  3. Document Changes: Keep a record of any changes made to the secure level and the reasons for those changes. This will help to ensure that the system remains secure and that any issues can be quickly identified and resolved.

  4. Monitor System Logs: Regularly monitor system logs for any signs of issues related to the secure level. This can help to identify potential problems before they impact the operation of the system.

  5. Use Other Security Measures: Kernel secure levels are just one aspect of system security. Be sure to implement other security measures, such as firewalls, intrusion detection systems, and regular security updates, to further enhance the security of the system.

Conclusion

Kernel secure levels are a powerful security feature in FreeBSD that can help to protect the system from unauthorized modifications and malicious activities. By understanding how secure levels work and how to configure them, you can enhance the security of your FreeBSD system and reduce the risk of compromise.

When configuring secure levels, it is important to start with a lower level and gradually increase it as needed, test the configuration in a controlled environment, and monitor the system for any issues. By following these best practices, you can ensure that your system remains secure while still allowing for necessary operations and maintenance.

Remember that kernel secure levels are just one part of a comprehensive security strategy. Be sure to implement other security measures and keep the system up to date with the latest security patches to further protect your FreeBSD system.


< How to Disable USB Ports for Security on FreeBSDHow to Encrypt Home Directories >