DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
Old 6th July 2008
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Thanked 0 Times in 0 Posts
Default

I did read Carpetsmoker advice but did not want to go down that route unless i had to, which in the end i had to try but even that did not work?

edited rc.conf

Quote:
kern_securelevel_enable="YES"
kern_securelevel="1"
was "2"

rebooted but still can't change time

Quote:
# date 0807061851
date: can't reach time daemon, time set locally
Sun 6 Jul 2008 18:51:00 BST

cp# date
Thu 16 Oct 2003 10:50:04 BST


cheers
Reply With Quote
Old 6th July 2008
richardpl richardpl is offline
Spam Deminer
 
Join Date: May 2008
Location: Croatia
Posts: 284
Thanked 25 Times in 24 Posts
Default

Post whole contents of /etc/rc.conf

post again output of # sysctl kern.securelevel
Reply With Quote
Old 6th July 2008
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by richardpl View Post
Post whole contents of /etc/rc.conf

post again output of # sysctl kern.securelevel
Ok now there is something strange, even though i set it in rc.conf it does not appear to have changed ?

Quote:
# sysctl kern.securelevel
kern.securelevel: 2
rc.conf
Quote:
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
ifconfig_fxp0="inet 85.234.***.** netmask 255.255.255.0"
defaultrouter="85.234.***.*"
hostname="my.domain.com"
keymap="uk.iso"
sshd_enable="YES"
usbd_enable="NO"
syslogd_flags="-ss"
enable_quotas="YES"
check_quotas="NO"
# Security Stuff Weak For Now
#firewall_enable="YES"
#firewall_script="/etc/rc.firewall"
#firewall_type="OPEN"
#firewall_quiet="YES"
#firewall_logging="YES"
kern_securelevel_enable="YES"
kern_securelevel="1"
tcp_extensions="NO"
tcp_keepalive="YES"
icmp_drop_redirect="YES"
icmp_bmcastecho="NO"
icmp_bandlim="YES"
log_in_vain="YES"
accounting_enable="NO"
sendmail_enable="NONE"
postgresql_enable="YES"
mysql_enable="YES"
sendmail_enable="NONE"
named_enable="NO"
# -- sysinstall generated deltas -- # Tue Nov 28 17:39:34 2006
keymap="uk.iso"
sendmail_enable="NONE"
sendmail_enable="NONE"
sendmail_enable="NONE"
smartd_enable="YES"
#firewall_enable="YES"
#firewall_script="/etc/rc.fire"
pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup
sendmail_enable="NONE"
sendmail_enable="NONE"
sendmail_enable="NONE"
webmin_enable="YES"
sendmail_enable="NONE"
#
#ntpdate_enable="YES"
# ntpdate_flags="-b -t -g ntp.rz.uni-karlsruhe.de ntp1.rz.uni-karlsruhe.de"
#ntpdate_flags="-b 1.uk.pool.ntp.org chronos.csr.net audaxsystems.co.uk "
#
openntpd_enable="YES"
openntpd_flags="-s"
cheers
Reply With Quote
Old 6th July 2008
richardpl richardpl is offline
Spam Deminer
 
Join Date: May 2008
Location: Croatia
Posts: 284
Thanked 25 Times in 24 Posts
Default

Nasty ex-administrator

post output of /etc/sysctl.conf

and output of following command:

# cat /etc/defaults/rc.conf |grep securelevel

and just to be sure:

# sysctl security.jail
Reply With Quote
Old 6th July 2008
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Thanked 0 Times in 0 Posts
Default

thanks for reply

Quote:
cat /etc/sysctl.conf
# $FreeBSD: src/etc/sysctl.conf,v 1.8 2003/03/13 18:43:50 mux Exp $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1
kern.securelevel=2
net.inet.ip.check_interface=1
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
kern.fallback_elf_brand=3
net.inet.tcp.syncookies=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
net.inet.icmp.icmplim=200
# LL sugestions
#Increase Mbufs
kern.ipc.nmbclusters=81920

### Decrease the ARP cache cleanup interval
net.link.ether.inet.max_age=1200

### Disable ICMP broadcast echo activity
#net.inet.icmp.bmcastecho=0

### Disable ICMP routing redirects
net.inet.ip.redirect=0

### Disable ICMP broadcast probes
#net.inet.icmp.masqrepl=0

### Disable IP source routing
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0

### Feed And Slow Syn Cookie Monster
kern.ipc.somaxconn=1024
#net.inet.tcp.syncookies=1

### Increase TCP send and receive window sizes to at least 32 kbytes
#net.inet.tcp.sendspace=65535
#net.inet.tcp.recvspace=65535

### Additional Un Documented For Now Stuff
#net.inet.tcp.log_in_vain=1
#net.inet.udp.log_in_vain=1
#net.inet.ip.check_interface=1
#kern.fallback_elf_brand=3
#net.inet.icmp.icmplim=200
security.jail.allow_raw_sockets=1
security.jail.sysvipc_allowed=1
security.bsd.see_other_uids=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.random_id=1
kern.maxfiles=65536
kern.maxfilesperproc=65536
kern.ipc.somaxconn=8192
net.inet.tcp.sendspace=65535
net.inet.tcp.recvspace=65535
net.inet.udp.recvspace=65535
net.inet.udp.maxdgram=57344
net.inet.tcp.rfc1323=1
net.inet.tcp.delayed_ack=0
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
kern.ipc.maxsockbuf=2097152

Quote:
cat /etc/defaults/rc.conf |grep securelevel
kern_securelevel_enable="YES" # kernel security level (see init(8)),
kern_securelevel="-2" # range: -1..3 ; `-1' is the most insecure
# Note that setting securelevel to 0 will result
# in the system booting with securelevel set to 1, as

Quote:
# sysctl security.jail
security.jail.jailed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 1
security.jail.enforce_statfs: 2
security.jail.sysvipc_allowed: 1
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
cheers
Reply With Quote
Old 7th July 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,069
Thanked 198 Times in 156 Posts
Default

Remove (or comment out) the line"
kern.securelevel=2
in /etc/sysctl.conf.

The reason the rc script doesn't work is probably because it gets executed after /etc/rc.d/securelevel, which can be fixed easily by adding BEFORE: securelevel to the ntpd startup script ... See rcorder(8)
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Old 7th July 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

Quote:
Code:
cat /etc/defaults/rc.conf |grep securelevel
kern_securelevel_enable="YES" # kernel security level (see init(8)),
kern_securelevel="-2" # range: -1..3 ; `-1' is the most insecure
# Note that setting securelevel to 0 will result
# in the system booting with securelevel set to 1, as
Um, yeah. Fix this one up too. You've got an ex-admin that needs a good larting.

those two lines should be:
Code:
kern_securelevel_enable="NO"	# kernel security level (see init(8)),
kern_securelevel="-1"	# range: -1..3 ; `-1' is the most insecure
Oh, and for future reference, use [code] ... [/code], not [quote] ... [/quote] when posting file contents or screen dumps in future.


(Hmm. Is Lart-ing (Luser Attitude Readjustment Tool -ing) applicable for sysadmins? What is the word for an incompetent sysadmin?? I know - "robbak", right?) <g>.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.

Last edited by robbak; 7th July 2008 at 03:58 AM.
Reply With Quote
Old 7th July 2008
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Thanked 0 Times in 0 Posts
Default

thanks for replies.

To clarify, i don't need line:

Code:
kern.securelevel=2
in /etc/sysctl.conf
and

/etc/defaults/rc.conf should be:

Code:
kern_securelevel_enable="NO"	# kernel security level (see init(8)),
kern_securelevel="-1"	# range: -1..3 ; `-1' is the most insecure



Also that the setting in rc.conf overrides that in /etc/defaults/rc.conf ?


Changing entry in sysctl.conf and moving openntp entry above kern_securelevel="1" in rc.conf resulted in time being set correctly on boot.

Now this done i believe i should have following setup:

rc.conf
Code:
kern.securelevel="2"

/etc/defaults/rc.conf
Code:
kern_securelevel_enable="NO"	# kernel security level (see init(8)),
kern_securelevel="-1"	# range: -1..3 ; `-1' is the most insecure

/etc/sysctl.conf
Code:
# kern.securelevel="2"
This should still give me secure mode?

many thanks
Reply With Quote
Old 7th July 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,069
Thanked 198 Times in 156 Posts
Default

Quote:
/etc/defaults/rc.conf should be:

Code:
kern_securelevel_enable="NO" # kernel security level (see init(8)),
kern_securelevel="-1" # range: -1..3 ; `-1' is the most insecure

Also that the setting in rc.conf overrides that in /etc/defaults/rc.conf ?
Yes to both, /etc/defaults/rc.conf should _NEVER_ be modified, all modification should be done in /etc/rc.conf.

Quote:
To clarify, i don't need line:

Code:
kern.securelevel=2
in /etc/sysctl.conf
No, this sets the securelevel to 2 ... But the best way to do this is with rc.conf, and setting it in two different places makes no sense, so this line should be removed.

Quote:
Changing entry in sysctl.conf and moving openntp entry above kern_securelevel="1" in rc.conf resulted in time being set correctly on boot.
It doesn't matter in what order the variables are in /etc/rc.conf

Quote:
Now this done i believe i should have following setup:
[...]
This should still give me secure mode?
Yes, you can check with
% sysctl kern.securelevel
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Old 7th July 2008
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Thanked 0 Times in 0 Posts
Default

Hello and many thanks for everyones help, i have sorted issue and have learnt something

Date time are now correct and secure level is "2":

Code:
cp# sysctl kern.securelevel
kern.securelevel: 2
cp# date
Mon  7 Jul 2008 10:45:15 BST
cp#
cheers
Reply With Quote
Old 7th July 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

Now that's done, make sure you are either running ntpd (the best way) or regularly running ntpdate, so it keeps the time accurate, and you won't have to do this again.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
Old 7th July 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

Robbak, carpman installed OpenNTP, which does not provide ntpdate, it provides rdate.
Starting openntpd with the -s option causes the time to be corrected at boot time..
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
clock, date, ntpd, openntpd, securelevel

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
configure clock in xfce delboy FreeBSD General 7 3rd September 2008 06:36 PM


All times are GMT. The time now is 12:23 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick