Bios:
- secure the bios with password (setup password) to provide bios security
- If we setup the system password in the BIOS then for booting the system we need to provide the password
Grub:
- To prevent the editing of the grub while booting we have to create the grub loader password.
Create the grub password by exicuting grub_md5_crypt
# grub_md5_crypt
Give the password to create the md5 generated hash (encrypted password)
-----------
hhdgfwytt223476$$#^jkhsdhgfds
-----------
Now copy this out put and paste in grub.conf file with following option
# vim /boot/grub/grub.conf
beneath the timeout session add the line
--------
password --md5 hhdgfwytt223476$$#^jkhsdhgfds
--------
Now reboot and check the options to edit the grub
Boot Loader Checks - Bootup security measures that has to be taken:
We can verify any changes for system in boot log. Mainly 2 files are containing the logs from deamons & kernels /var/log/dmesg & /var/log/boot.log
/var/log/dmesg:
Any changes in hardware will be logged here. we can use dmesg command to check the same. The binary /bin/dmesg will show the content of /var/log/dmesg.
/var/log/dmesg.
Check the /var/log/dmesg after a boot for any changes in a suspected compromised system
- check the kernel version - it should match the current version of the kernel installed
- check the memory, cpu & NIC from the dmesg and compare with original - this is to check any changes in the kernel, if anything unusual found can conclude that the kernel might be compromised.
Check the /var/log/boot.log to find out the deamons & kernel options that have been enabled while booting.
For Eg:- check the routing eabled or check the source routing enabled etc and compare it with the configuration done while server moved to production.
Securing INIT
Process of INIT in relation to system boot
After Bios initializes the hardwares hands over the control to grub which immediatly hands over to linux kernel.Now Kernel initializes the hardwares and loads the modules and the very first process INIT is launched. The job of init is to configure the enviornment based on the user choice. It reads the key configuration file in /etc/inittab.
Modifying the Inittab file to increase the security.
#vi /etc/inittab
--------
###x-server in linux is a service which runs as server client enviornment. So disable the graphical and the default runlevel to 3.
### disbale the keystrock ctrlaltdel to avoid rebooting the machine from giving the same keystrock
### the session for terminals are given below
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
6:2345:respawn:/sbin/mingetty tty6
Here we can reduce the number of TTYs by commenting out(teh fewer terminal the fewer shells exposed) this makes sence in disabling the
extra TTY
--------
Now run the following command to take effect of new inittab
# init q
This reads the inittab files again
RPM Database regular Check
Check regularly the package list in the system If the system is rpm based try to get the list of packages and document to refer later incase of any comparmize happened.
#rpm -qa > `date +%F`.installed.pkgs.lst
to compare run the following command
#diff old.list new.list
Note:-
An experienced intruder never installs paclages in rpm format. This case makes exception.
No comments:
Post a Comment
tag ur valuable ideas below