Password protection for the BIOS and the boot loader can prevent
unauthorized users who have physical access to your systems from booting
from removable media or attaining root through single user mode. But the
security measures one should take to protect against such attacks
depends both on the sensitivity of the information the workstation holds
and the location of the machine.
For instance, if a machine is used in a trade show and contains no
sensitive information, than it may not be critical to prevent such
attacks. However, if an employee's laptop with private, non-password
protected SSH keys for the corporate network is left unattended at that
same trade show, it can lead to a major security breech with
ramifications for the entire company.
On the other hand, if the workstation is located in a place where
only authorized or trusted people have access, then securing the BIOS or
the boot loader may not be necessary at all.
4.2.1. BIOS Passwords
The following are the two primary reasons for password protecting the
BIOS of a computer[1]:
Prevent Changes to BIOS Settings — If an
intruder has access to the BIOS, they can set it to boot off of a
diskette or CD-ROM. This makes it possible for them to enter
rescue mode or single user mode, which in turn allows them to seed
nefarious programs on the system or copy sensitive data.
Prevent System Booting — Some BIOSes
allow you to password protect the boot process itself. When activated,
an attacker is forced to enter a password before the BIOS to launch
the boot loader.
Because the methods for setting a BIOS password vary between computer
manufacturers, consult the manual for your computer for instructions.
If you forget the BIOS password, it can often be reset either with
jumpers on the motherboard or by disconnecting the CMOS battery. For
this reason it is good practice to lock the computer case if possible.
However, consult the manual for the computer or motherboard before
attempting this procedure.
4.2.2. Boot Loader Passwords
The following are the primary reasons for password protecting a Linux
boot loader:
Prevent Access to Single User Mode
— If an attacker can boot into single user mode, he becomes
the root user.
Prevent Access to the GRUB Console
— If the machine uses GRUB as its boot loader, an attacker
can use the use the GRUB editor interface to change its
configuration or to gather information using the
cat command.
Prevent Access to Non-Secure Operating
Systems — If it is a dual-boot system, an attacker
can select at boot time an operating system, such as DOS,
which ignores access controls and file permissions.
There are two boot loaders that ship with Red Hat Linux for the x86 platform,
GRUB and LILO. For a detailed look at each of these boot loaders, consult
the chapter titled Boot Loaders in the
Red Hat Linux Reference Guide.
4.2.2.1. Password Protecting GRUB
You can configure GRUB to address the first two issues listed in
Section 4.2.2 Boot Loader Passwords by adding a password
directive to its configuration file. To do this, first decide on a
password, then open a shell prompt, log in as root, and type:
When prompted, type the GRUB password and press
[Enter]. This will return an MD5 hash of the
password.
Next, edit the GRUB configuration file
/boot/grub/grub.conf. Open the file and below
the timeout line in the main section of the
document, add the following line:
password --md5 <password-hash> |
Replace <password-hash> with the value
returned by /sbin/grub-md5-crypt[2].
The next time you boot the system, the GRUB menu will not let you
access the editor or command interface without first pressing
[p] followed by the GRUB password.
Unfortunately, this solution does not prevent an attacker from
booting into a non-secure operating system in a dual-boot
environment. For this you need to edit a different part of the
/boot/grub/grub.conf file.
Look for the title line of the
non-secure operating system and add a line that says
lock directly beneath it.
For a DOS system,
the stanza should begin similar to the following:
 | Warning |
|---|
| | You must have a password line in
the main section of the /boot/grub/grub.conf
file for this to work properly. Otherwise an attacker will be able
to access the GRUB editor interface and remove the lock line.
|
If you wish to have a different password for a particular kernel or
operating system, add a lock line to
the stanza followed by a password line.
Each stanza you protect with
a unique password should begin with lines similar to the following example:
title DOS
lock
password --md5 <password-hash> |
Finally, remember that the /boot/grub/grub.conf
file is world-readable by default. It is a good idea to change this,
as it has no affect on the functionality of GRUB, by typing the
following command as root:
chmod 600 /boot/grub/grub.conf |
4.2.2.2. Password Protecting LILO
LILO is a much simpler boot loader than GRUB and does not offer a
command interface, so you need not worry about an attacker gaining
interactive access to the system before the kernel is
loaded. However, there is still the danger of attackers booting in
single-user mode or booting into an insecure operating system.
You can configure LILO to ask for a password before booting any
operating system or kernel on the system by adding a password
directive in to the global global section of its configuration
file. To do this, open a shell prompt, log in as root, and edit
/etc/lilo.conf. Before the first
image stanza, add a password
directive similar to this:
In the above directive, replace the word
<password> with your password.
 | Important |
|---|
| | Anytime you edit /etc/lilo.conf, you must run
the /sbin/lilo -v -v command for the changes to
take affect. If you have configured a password and anyone other than
root can read the file, LILO will install, but will alert you that
the permissions on the configuration file are wrong.
|
If you do not want a global password, you can apply the password
directive to any stanza corresponding to any kernel or operating
system to which you wish to restrict access in
/etc/lilo.conf. To do this, add the password
directive immediately below the
image line. When finished, the
beginning of the password-protected stanza will resemble the
following:
image=/boot/vmlinuz-<version>
password=<password> |
In the previous example, replace <version> with
kernel version and <password> with
the LILO password for that kernel.
If you want to allow booting a kernel or operating system without
password verification, but do not want to allow users to add
arguments without a password, you can add the
restricted directive on the line
below the password line within the stanza. Such a stanza begins
similar to this:
image=/boot/vmlinuz-<version>
password=<password>
restricted |
Again, replace <version> with
kernel version and <password> with
the LILO password for that kernel.
If you use the restricted
directive, you must also have a password line in the stanza.
| Warning |
|---|
| | The /etc/lilo.conf file
is world-readable. If you are password protecting LILO, it essential
that you only allow root to read and edit the file since all passwords are in
plain text. To do this, type the following command as root:
|
