Thursday, October 1, 2009

Linux Securirty Notes 2: Boot Time Security Tips


  •     secure the bios with password (setup password) to provide bios security
  •     If we setup the system password in the BIOS then for booting the system we need to provide the password


  •     To prevent the editing of the grub while booting we have to create the grub loader password.
Creating the Grub Password.
    Create the grub password by exicuting grub_md5_crypt

# grub_md5_crypt
    Give the password to create the md5 generated hash (encrypted password)

Now copy this out put and paste in grub.conf file with following option

# vim /boot/grub/grub.conf
 beneath the timeout session add the line
password --md5 hhdgfwytt223476$$#^jkhsdhgfds
    Now reboot and check the options to edit the grub

Boot Loader Checks - Bootup security measures that has to be taken:

    We can verify any changes for system in boot log. Mainly 2 files are containing the logs from deamons & kernels /var/log/dmesg & /var/log/boot.log
    Any changes in hardware will be logged here. we can use dmesg command to check the same. The binary /bin/dmesg will show the content of /var/log/dmesg.

Check the /var/log/dmesg after a boot for any changes in a suspected compromised system
  • check the kernel version - it should match the current version of the kernel installed
  • check the memory, cpu & NIC from the dmesg and compare with original - this is to check any changes in the kernel, if anything unusual found can conclude that the kernel might be compromised.
    Check the /var/log/boot.log to find out the deamons & kernel options that have been enabled while booting.
    For Eg:- check the routing eabled or check the source routing enabled etc and compare it with the configuration done while server moved to production.

Securing INIT

Process of INIT in relation to system boot
        After Bios initializes the hardwares hands over the control to grub which immediatly hands over to linux kernel.Now Kernel initializes the hardwares and loads the modules and the very first process INIT is launched. The job of init is to configure the enviornment based on the user choice. It reads the key configuration file in /etc/inittab.

Modifying the Inittab file to increase the security.
#vi /etc/inittab
###x-server in linux is a service which runs as server client enviornment. So disable the graphical and the default runlevel to 3.
### disbale the keystrock ctrlaltdel to avoid rebooting the machine from giving the same keystrock
### the session for terminals are given below
1:2345:respawn:/sbin/mingetty    tty1
2:2345:respawn:/sbin/mingetty    tty2

6:2345:respawn:/sbin/mingetty    tty6
    Here we can reduce the number of TTYs by commenting out(teh fewer terminal the fewer shells exposed) this makes sence in disabling the
extra TTY
Now run the following command to take effect of new inittab
# init q
    This reads the inittab files again

RPM Database regular Check
     Check regularly the package list in the system If the system is rpm based try to get the list of packages and document to refer later incase of any comparmize happened.

#rpm -qa > `date +%F`.installed.pkgs.lst
    to compare run the following command
#diff old.list new.list
    An experienced intruder never installs paclages in rpm format. This case makes exception.   

No comments:

Post a Comment

tag ur valuable ideas below