Many security controls are ineffective or can be overridden if an attacker gets physical access to your hosts,...
especially if attackers are able to reboot those hosts. For example, by rebooting your Red Hat Enterprise Linux server, an attacker can sign into single user mode and change your root password -- achieving a total compromise of your server.
In this tip, I will look at how you can secure your GRUB boot loader with a password that will prevent unauthorized access to your hosts after a reboot.
The GRUB boot loader is the default boot loader installed by Red Hat Enterprise Linux (and other distributions such as SUSE Linux Enterprise Server, Mandriva, Fedora Core and Gentoo, amongst others).
The GRUB boot loader's behavior is to present a list of kernels that can be loaded, and after a period (if no user intervention occurs), can be booted into the default kernel. If the user intervenes by pressing a key and then by using a menu and an interactive command line, the user can select alternate kernels or specify additional parameters, such as the single statement used for booting into single user mode.
To secure the GRUB boot loader, we can apply a password to the whole loader, which you then need in order to specific kernel entries or to allow the loading of an additional menu for authenticated users. These controls are specified in the grub.conf configuration file that is located in the /boot/grub/ directory (and sym-linked to /etc/grub.conf).
Let us take a look at a password protected grub.conf file:
default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz password --md5 $1$3Gq.k1$Swh2Z8swBjRp2wvncjVaa0 title Red Hat Enterprise Linux (2.6.18-1.2849.rhel4) root (hd0,0) lock kernel /vmlinuz-2.6.18-1.2849.rhel4 ro root=/dev/VolGroup00/LogVol01 initrd /initrd-2.6.18-1.2849.rhel4.img
In this grub.conf file, we can see a kernel entry and, just above it, a line:
password -md5 $1$3Gq.k1$Swh2Z8swBjRp2wvncjVaa0
When specified, the password option disables all the interactive features of GRUB, i.e. you can't add boot parameters, enter the command line interface or edit menu entries.
To enable these functions, you need to type p whilst on the GRUB menu and enter the correct password. The --md5 option on the password indicates that the password is in MD5 format. You can create MD5 passwords for GRUB using the grub command line interface like so:
# grub grub> md5crypt md5crypt Password: password password Encrypted: $1$3Gq.k1$Swh2Z8swBjRp2wvncjVaa0
The md5crypt function prompts you for a clear-text password and then outputs that password in MD5 format. You can then cut-and-paste the password into your grub.conf file.
Using the password option, you can also specify a menu that can be launched when the appropriated password is entered,
password --md5 $1$3Gq.k1$Swh2Z8swBjRp2wvncjVaa0 /boot/grub/admin-menu.lst
In this instance, when the appropriate password is entered, the menu specified in the /boot/grub/admin-menu.lst file would be displayed (menu files follow the standard GRUB menu structure). This allows you to specify kernel entries and other features that can be accessed only by authorized users.
In addition, you can control access to specific kernel entries. In the kernel entry above, you can see that the lock option has been specified. The lock option indicates that the kernel entry cannot be loaded unless the required password (specified in the password option) is entered. You must specify the lock option directly after the title line to lock the entry. You can also specify a password for each entry by replacing the lock option with a password option like so:
title Red Hat Enterprise Linux (2.6.18-1.2649.rhel4) password -md5 $1$3Gq.k1$Swh2Z8swBjRp2wvncjVaa0 root (hd0,0) kernel /vmlinuz-2.6.18-1.2649.rhel4 ro root=/dev/VolGroup00/LogVol01 initrd /initrd-2.6.18-1.2649.rhel4.img
Using the password option in an individual entry means you can secure different entries with different passwords, hence allowing users to launch some kernels but not others.
To prevent unauthorized changes, you also need to ensure the grub.conf file has suitable ownership and permissions. The file should be owned by root and have permissions of 0600 like so:
# chown root:root /etc/grub.conf # chmod 0600 /etc/grub.conf
Don't forget that you can (also) set hardware-level security controls in the BIOS of your servers. Common controls that are implemented include BIOS-level passwords (and don't forget to secure the BIOS setup application with a password also) and restrictions on booting from CD, DVD, USB and the like.
Remember that GRUB security doesn't help you if someone is able to physically remove components from the server itself. The best defense against this is a locked room with a secure access mechanism.
Did you find this tip helpful? Got one of your own to share with your fellow readers? Send it along!