- 论坛徽章:
- 0
|
4.2. BIOS and Boot Loader Security
Password protection for the BIOS (or BIOS equivalent) and the boot
loader can prevent unauthorized users who have physical access to
systems from booting using removable media or attaining root through
single user mode. But the security measures one should take to protect
against such attacks depends both on the sensitivity of the information
the workstation holds and the location of the machine.
For instance, if a machine is used in a trade show and contains no
sensitive information, than it may not be critical to prevent such
attacks. However, if an employee's laptop with private, unencrypted SSH
keys for the corporate network is left unattended at that same trade
show, it could lead to a major security breech with ramifications for
the entire company.
On the other hand, if the workstation is located in a place where
only authorized or trusted people have access, then securing the BIOS or
the boot loader may not be necessary at all.
4.2.1. BIOS Passwords
The following are the two primary reasons for password protecting the
BIOS of a computer
[1]
:
Preventing Changes to BIOS Settings
— If an intruder has access to the BIOS, they can set it to
boot off of a diskette or CD-ROM. This makes it possible for them
to enter rescue mode or single user mode, which in turn allows
them to seed nefarious programs on the system or copy sensitive
data.
Preventing System Booting — Some
BIOSes allow password protection of the boot process. When
activated, an attacker is forced to enter a password before the
BIOS launches the boot loader.
Because the methods for setting a BIOS password vary between computer
manufacturers, consult the computer's manual for specific
instructions.
If you forget the BIOS password, it can either be reset with jumpers
on the motherboard or by disconnecting the CMOS battery. For this
reason, it is good practice to lock the computer case if possible.
However, consult the manual for the computer or motherboard before
attempting this procedure.
4.2.1.1. Securing Non-x86 Platforms
Other architectures use different programs to perform low-level
tasks roughly equivalent to those of the BIOS on x86 systems. For
instance, Intel®
Itanium™ computers use the
Extensible Firmware Interface
(EFI) shell.
For instructions on password protecting BIOS-like programs on other
architectures, refer to the manufacturer's instructions.
4.2.2. Boot Loader Passwords
The following are the primary reasons for password protecting a Linux
boot loader:
Preventing Access to Single User Mode
— If an attacker can boot into single user mode, he becomes
the root user.
Preventing Access to the GRUB Console
— If the machine uses GRUB as its boot loader, an attacker
can use the use the GRUB editor interface to change its
configuration or to gather information using the
cat command.
Preventing Access to Non-Secure Operating
Systems — If it is a dual-boot system, an attacker
can select at boot time an operating system, such as DOS,
which ignores access controls and file permissions.
There are two boot loaders that ship with Red Hat Enterprise Linux for the x86 platform,
GRUB and LILO. For a detailed look at each of these boot loaders, consult
the chapter titled Boot Loaders in the
Red Hat Enterprise Linux Reference Guide.
4.2.2.1. Password Protecting GRUB
GRUB can be configured to address the first two issues listed in
Section 4.2.2 Boot Loader Passwords
by adding a password
directive to its configuration file. To do this, first decide on a
password, then open a shell prompt, log in as root, and type:
/sbin/grub-md5-crypt
When prompted, type the GRUB password and press
[Enter]. This returns an MD5 hash of the
password.
Next, edit the GRUB configuration file
/boot/grub/grub.conf. Open the file and below
the timeout line in the main section of the
document, add the following line:
password --md5
Replace with the
value returned by
/sbin/grub-md5-crypt
[2]
.
The next time the system boots, the GRUB menu does not allow access
to the editor or command interface without first pressing
[p] followed by the GRUB password.
Unfortunately, this solution does not prevent an attacker from
booting into a non-secure operating system in a dual-boot
environment. For this, a different part of the
/boot/grub/grub.conf file must be edited.
Look for the title line of the
non-secure operating system and add a line that says
lock directly beneath it.
For a DOS system,
the stanza should begin similar to the following:
title DOS
lock
![]()
Warning
A password line must be present
in the main section of the
/boot/grub/grub.conf file for this method to
work properly. Otherwise, an attacker can access the GRUB editor
interface and remove the lock line.
To create a different password for a particular kernel or operating
system, add a lock line to the stanza followed by
a password line.
Each stanza protected with a unique password should begin with lines
similar to the following example:
title DOS
lock
password --md5 4.2.2.2. Password Protecting LILO
LILO is a much simpler boot loader than GRUB and does not offer a
command interface, so an attacker cannot gain interactive access to
the system before the kernel is loaded. However, it is still
possible for an attacker to boot into single-user mode or into an
insecure operating system.
Password protecting LILO can be accomplished by adding a password
directive in to the global section of its configuration file. To do
this, open a shell prompt, log in as root, and edit
/etc/lilo.conf. Before the first
image stanza, add a password
directive similar to the following example:
password=
In the above directive, replace
with the password for
LILO.
![]()
Important
When editing /etc/lilo.conf, the
/sbin/lilo -v -v command must be run for the
changes to take effect. If a password has been configured and
anyone other than root can read the file, LILO installs properly,
but notifies the user that the permissions on the configuration
file are incorrect.
If a global password is not desirable, the password directive can be
added to any stanza corresponding to any kernel or operating
system. To do this, add the password directive immediately below the
image line. When finished, the
beginning of the password-protected stanza resembles the
following:
image=/boot/vmlinuz-
password=
In the previous example, replace with
kernel version and with
the LILO password for that kernel.
It is also possible to allow the booting of a kernel or operating
system without password verification, while preventing users from
specifying arguments without a password. To do this, add the
restricted directive on the line
below the password line within the stanza. Such a stanza begins
similar to the following example:
image=/boot/vmlinuz-
password=
restricted
Replace with kernel
version and with the
LILO password for that kernel.
If using the restricted directive,
there must also be a password line within the stanza.
![]()
Warning
The /etc/lilo.conf file is world-readable. If
you are password protecting LILO, it is essential to only allow
the root user to read and edit the file since all passwords are in
plain text. To do this, type the following command as root:
chmod 600 /etc/lilo.confNotes
[1]
Since system BIOSes differ between
manufacturers, some may not support password protection of either
type, while others may support one type but not the other.
[2]
GRUB also
accepts unencrypted passwords, but it is recommended that an md5
hash be used for added security.
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/2389/showart_108507.html |
|
免费注册
发表于 2006-05-05 13:35