# Copyright 2000 - 2004 George Shaffer
# Anyone may use or modify this code for any purpose PROVIDED
# that as long as it is recognizably derived from this code,
# that this copyright notice, remains intact and unchanged.
# No warrantees of any kind are expressed or implied.

# Lock key system files against change, even by root
# Run sysunlock from single user mode to reverse.

# If / happens to be mounted readonly, make it writeable.
mount -uw /

# Edit /etc/rc.securelevel so secure level will be set to
# to 2 after booting.
cd /etc
ex rc.securelevel <<- EOF
%s/securelevel=1/securelevel=2/
w
q
EOF

# Make the key system intialization scripts and security auditing
# files immutable.
chflags schg /etc/changelist
chflags schg /etc/daily
chflags schg /etc/inetd.conf
chflags schg /etc/nat.conf
chflags schg /etc/netstart
chflags schg /etc/pf.conf
chflags schg /etc/rc
chflags schg /etc/rc.conf
chflags schg /etc/rc.local
chflags schg /etc/rc.securelevel
chflags schg /etc/rc.shutdown
chflags schg /etc/security
chflags schg /etc/mtree/special

chflags -R schg /bin
chflags -R schg /sbin
chflags -R schg /usr/bin
chflags -R schg /usr/libexec
chflags -R schg /usr/sbin

# Put the system in secure level 2.
sysctl -w kern.securelevel=2