Protect your GRUB from unauthorized editing with passwords

May 22, 2013November 15, 2013 Anoop C SLeave a comment

Here I consider GRUB 2 and in the following post GRUB means GRUB 2.

If you are a GNU/Linux user, GRUB will be quite familiar to you. It is the first thing you see after you switch on the system. As the expansion of GRUB (GRand Unified Bootloader) suggests it is a boot loader. This is very helpful in various situations. Earlier I had written a post regarding GRUB with its ability to modify the way it appears to the user. The other side is about the security which is of greater importance. After the installation of GRUB it is open to all i.e, anybody can edit the GRUB entries and gain the superuser privilege. So protecting the grub with passwords restricts this attack.

First of all let me introduce to you some of the grub scripts included under /etc/grub.d/

00_header
05_debian_theme
10_linux
20_linux_xen
20_memtest86+
30_os-prober
30_uefi-firmware
40_custom
41_custom
README

These are used to generate the grub.cfg file under /boot/grub/ on running update-grub. Among these we will consider only 00_header, 10_linux,
20_memtest86+ and 30_os-prober. A superuser must be designated. This user can select all menu entries, edit any items in the GRUB menu during the
boot process, and access the GRUB terminal.The superuser is identified as
set superusers=”<user>”
Ex:- set superusers=”root”
The format for adding the superuser password and any additional users and passwords
password <user> <password>
Ex:- password root 123456
If you wish more users to be added append those with the above line
Ex:- password root 123456
password tom tom123
password alen alen

Note: Encryption of passwords will be explained later.

Open /etc/grub.d/00_header and add the following at the bottom of the file.
cat << EOF
        set superusers=”root”
        password root 123456
        EOF
Each type of OS entries are protected through different scripts.

For linux entries, find the following line in /etc/grub.d/10_linux
printf “menuentry ‘${title}’ ${CLASS} {\n” “${os}” “${version}”
Add –users to allow permission to superuser
printf “menuentry ‘${title}’ ${CLASS} –users {\n” “${os}” “${version}”
Add –users tom to allow permission to superuser+tom
printf “menuentry ‘${title}’ ${CLASS} –users tom {\n” “${os}” “${version}”
Add –users tom,alen to allow permission to superuser+tom+alen
printf “menuentry ‘${title}’ ${CLASS} –users tom,alen {\n” “${os}” “${version}”

For other OS entries, find lines starting with menu entry in /etc/grub.d/30_os-prober and add –users after –class os to requires entries.
For memory test entry, modification is to be done inside /etc/grub.d/20_memtest86+ in the following lines
menuentry “Memory test (memtest86+)” {
menuentry “Memory test (memtest86+, serial console 115200)” {

Run sudo update-grub after all modifications.

Disable Ctrl-Alt-Del keyboard shutdown command in GNU/Linux

May 13, 2013November 15, 2013 Anoop C SLeave a comment

Don’t think this as a flaw to the GNU/Linux system, but can be helpful in many situations. This part plays a vital role in the security of a system. In GNU/Linux system pressing Ctrl+Alt+Del can cause a shutdwon/reboot by default. As I said this isn’t a bad configuration and most of us may be using this as a shortcut. Moreover it is pretty important if you don’t have the best physical security to the machine. Commenting out the following line/lines will disable the possibility of using the Control-Alt-Delete command to shutdown your computer.

In debian based distros
nano /etc/init/control-alt-delete.conf

   Comment out the lines in the file to look like
   # control-alt-delete – emergency keypress handling
#
   # This task is run whenever the Control-Alt-Delete key combination is
# pressed, and performs a safe reboot of the machine.

description “emergency keypress handling”
#author “Scott James Remnant <scott@netsplit.com>”

#start on control-alt-delete

#task
#exec shutdown -r now “Control-Alt-Delete pressed”

In redhat based distros
nano /etc/inittab

Comment the following line

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

to look like

#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Save the file and logout.

Secure the tty devices by disabling root account login

May 10, 2013November 15, 2013 Anoop C SLeave a comment

GNU/Linux system provides means for using the terminal devices namely tty1,tty2,…As a part of gnu/linux general security we can enable/disable root login on these devices. Each of the tty devices can be accessed by pressing Ctrl+Alt+F1 or Ctrl+Alt+F2… The /etc/securetty file allows you to specify which tty devices the root user is allowed to login on. The /etc/securetty file is read by the login program. Its format is a list of the tty devices names allowed, and on all others tty that are commented out or doesn’t appear in this file, root login is disallowed.To allow root access in a particular tty we just need to uncomment that line.

Edit the securetty file (sudo nano /etc/securetty) and comment out the following lines

tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8

which means root is only allowed to login on tty1.

Openforums

My Linux inspired journey

Category: SECURITY

Protect your GRUB from unauthorized editing with passwords

Disable Ctrl-Alt-Del keyboard shutdown command in GNU/Linux