Re: mem.4: be more accurate about securelevel

[Stuart Henderson]

On 2023/01/20 18:14, Crystal Kolipe wrote:
> On Fri, Jan 20, 2023 at 01:15:29PM -0700, Theo de Raadt wrote:
> > Todd C. Miller <todd.mil...@millert.dev> wrote:
> > > I wonder if it makes sense to have a version of sysctl.conf that
> > > only gets used for the next reboot and then is removed, kind of
> > > like /etc/rc.firsttime.  Maybe call it /etc/sysctl.once.
> > 
> > Well you are shown the change at boot, and it is visible in dmesg -s,
> > which should be good enough.
> 
> Otherwise, something like this might be useful for test machines:

Test machines are less of a problem, because they're test machines.
Machines where things have been enabled to debug a problem and then
forgotten are a bigger issue.

 I'm not convinced that something visible only on a monitor help much.
How about security(8) though?

Index: share/man/man8/security.8
===================================================================
RCS file: /cvs/src/share/man/man8/security.8,v
retrieving revision 1.26
diff -u -p -r1.26 security.8
--- share/man/man8/security.8   13 Jul 2017 19:16:33 -0000      1.26
+++ share/man/man8/security.8   21 Jan 2023 10:40:37 -0000
@@ -79,6 +79,10 @@ to protect the programs in
 # chown root:wheel /etc/mtree/bin.secure
 # chmod 600 /etc/mtree/bin.secure
 .Ed
+.It
+Check for insecure
+.Xr sysctl 2
+values.
 .Pp
 .Sy Note:
 These checks do not provide complete protection against
Index: libexec/security/security
===================================================================
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.41
diff -u -p -r1.41 security
--- libexec/security/security   11 Oct 2020 18:28:17 -0000      1.41
+++ libexec/security/security   21 Jan 2023 10:40:37 -0000
@@ -299,6 +299,18 @@ sub check_ksh {
        }
 }
 
+sub check_sysctl {
+       $check_title = "Checking sysctl values:";
+       my $securelevel = `sysctl -n kern.securelevel`;
+       chomp $securelevel;
+       nag $securelevel le 0,
+           "kern.securelevel=$securelevel (not secure).";
+       my $allowkmem = `sysctl -n kern.allowkmem`;
+       chomp $allowkmem;
+       nag $allowkmem ge 1,
+           "kern.allowkmem=$allowkmem (userland can access kernel memory).";
+}
+
 # Uudecode should not be in the /etc/mail/aliases file.
 sub check_mail_aliases {
        my $filename = '/etc/mail/aliases';
@@ -910,6 +922,7 @@ backup_passwd;
 check_group;
 check_csh;
 check_ksh(check_sh);
+check_sysctl;
 $check_title = "Checking configuration files:";
 check_mail_aliases;
 check_hostname_if;