Since 2.1.102 securelevels were removed and capabilities were introduced. However capabilities requere modified vfs. In reality this means that 2.2.xx kerneles are less secure then 2.0.xx. Improved securelevels were added after Solar Designer's secure Linux patch was released for 2.0.33 kernel. In fact, securelevels scheme used in 2.0.3x was never featured in 2.1.xx or 2.2.xx kernels. There were attempts from some individuals like Pavel Machek to add capabilities in ELF headers. However securelevels still remain best way to protect your system. This will probably change somwhere in 2.3.xx or 2.4.0 kernels. Here is quote from secure-linux.2.0.33.diff: "Securelevel limits the capabilities of root, to protect against an intruder wiping out the logs and backdooring the system. On an ext2 filesystem, log files can be marked append-only, and critical system binaries marked immutable. This typically needs special support from /sbin/init to be able to increase securelevel at bootup, and decrease it back when required (for example, by booting into single user mode, which ensures physical access to the system). Unfortunately, with standard Linux kernel it is too easy to get around securelevel. This option adds extra checks to fix the most obvious problems, doesn't allow setting the date when securelevel is increased, and also allows increasing securelevel via sysctl(). Note that it disallows any direct access to the hardware, so you will not be able to start new X servers and svgalib applications after you increase securelevel (such existing processes, if any, will continue running). Sorry, but this is the only way to make securelevel really secure. This doesn't seem to be a problem in places where securelevel is really required -- servers, and not workstations." To have securelevel in 2.2.xx you need patch and securelevel.c that should be started from /etc/rc.d/rc.local (to compile just do gcc -o securelevel securelevel.c> To apply patch do following: cp securelevel2217.diff.gz /usr/src cd /usr/src gzip -cd securelevel2217.diff.gz |patch -p0 cd linux and rebuild your kernel. Do chattr +i and chattr +a on all files you consider important (e.g. /etc/rc.d /usr/ /sbin /bin /lib should be chattr +i -R; /var/log/messages /var/log/kernel should be chattr +a). I also suggest that you apply Solar Designer's patch that can be found at: http://www.openwall.com/linux. Until capabilities are fully implemneted this is the only way to make your sistem really secure. If you need to change something on running system you will have to do following: boot your system from console. At LILO prompt type: linux init=/bin/sh -i (presuiming that your image is named linux)or linux init=/sbin/init 1 After you boot into single user you will be able to perform changes you want to your system. Securelevel scheme first appeared in BSD. NOTE1: IF YOU WANT TO BE ABLE TO DECREASE SECURELEVEL ON RUNNING SYSTEM: Change line in kernel/sysctl.c: if(level < securelevel && current -> pid != 1) to this: if(level < securelevel && MAJOR(current->tty->device) != 4) This way you will be able to decrese securelevel on running system from system consoles. Of course, change securelevel.c where it says: int level = 1; to int level = 0; compile it and name it decrese. If you start it from console you will be able to decrese secure level. After you finish what you wanted you will be able to switch to securelevel 1 once again (simply start original securelevel and everything will be back to normal state). It was quite frustrating to change to single user every time you have something to change. * NOTE! * WARNING! * NOTE! * WARNING! * NOTE! * WARNING! * NOTE! * WARNING! * SECURELEVEL.C WON'T RAISE SECURELEVEL TO 1 UNLESS YOU PATCH AND RECOMPILE YOUR KERNEL. IN OTHER WORDS SECURELEVEL.C IS USELESS UNLESS YOUR KERNEL IS PATCHED AND RECOMPILED!!!!! SECURELEVEL.C IS ALSO USELESS UNLESS YOU MAKE IMPORTANT SYSTEM FILES AND DIRECTORIES CHATTR +i AND SYSLOG FILES CHATTR +A! PATCH IS FOR 2.2.17 BUT SHOULD APPLY FOR 2.2.19 ALSO!!!!! IF YOU DON'T KNOW HOW TO PATCH AND RECOMPILE YOUR KERNEL YOU WON'T NEED THIS EITHER!!!!!!!!!!!!!!!!1 * NOTE! * WARNING! * NOTE! * WARNING! * NOTE! * WARNING! * NOTE! * WARNING! * added 26.9.2004: PATCH FOR 2.6.8.1 Port for linux-2.6.8.1 ext3 attributes included