smartmontools and kern.securelevel
Warner Losh
imp at bsdimp.com
Fri Feb 23 15:25:13 UTC 2018
On Fri, Feb 23, 2018 at 8:20 AM, Ben RUBSON <ben.rubson at gmail.com> wrote:
> Hi,
>
> I run smartmontools on my storage servers, to launch periodic disk tests
> and alert on disk errors.
>
> Unfortunately, if we set sysctl kern.securelevel >=2, smartmontools does
> not work anymore.
> Certainly because it needs to write directly to raw devices.
> (details of the levels, -1 to 3, in security(7))
>
> Any workaround to this ?
>
> Perhaps we could think about allowing SMART commands to be written to
> disks when sysctl kern.securelevel >=2 ?
> (I assume smartmontools writes SMART commands)
>
Sending raw disks commands is inherently insecure. It's hard to create a
list of those commands that are OK because of the complexity and diversity
of the needed functionality. That complexity also makes it hard to put the
commands into a series of ioctls which could be made more secure.
Warner
More information about the freebsd-scsi
mailing list