Quote:
|
None of this is necessary or recommended, OpenBSD is already "hardened".. bumping the kern.securelevel will only serve to bite you in the butt.
|
I completely agree with the first part of your comment Oko, also the second part, that said i DO use securelevel=2 on my firewall, why? because i do NOT change alot on it, not even reload pf rules. By default after a reboot i am at securelevel=1, i change this manually to 2, that's just me, i like to use it and do believe in the right circumstances (firewall) it's beneficial.
If or when i do need to edit/reload something i log into my firewall locally and "shutdown now" to single user mode, then "exit" back up, leaving me at securelevel=1, then i make my changes, confirm them, and then type "sysctl -w kern.securelevel=2" and finish.
I also use tools like AIDE and sha checksums on log files, binaries and config files, in addition i run snort and portsentry and a HARD pf.conf file. I also use tools like bwm-ng, pftop, ntop, tcpdump and trafshow to inform me. In addition nessusd and nmap help too.
I use chflags, on SOME files, mostly just log files, binaries and config files, chflags are TRICKY and MUST be tested before you deploy, i have had it RUIN some setups with one simple enter ...
Remember that a misconfigured or worse unknown user account or buggy serivce can make your security life hell, even a well intended rm * (silly example i know) in the wrong directory could give you a large headache.
That also said, OpenBSD is pretty dam secure by default, and all this maybe quite unnecessary, but it makes me feel safer
