Re: How do I prevent Grub command-line boots?

http://ubuntuforums.org/showthread.php?t=1369019

Re: How do I prevent Grub command-line boots?

Anybody savvy enough to boot your PC from a grub command line likely isn't gonna be stopped by a grub password

Re: How do I prevent Grub command-line boots?

I couldn't figure out the answer to my question in that link.

Creating passwords for menu items (or menu item locking) does not prevent entering the command-line mode of Grub.

Further, configuring the Grub configuration file so that it does not display the recovery mode menu items (using the GRUB_DISABLE_LINUX_RECOVERY="true" function) also does not prevent a user from entering the Grub command-line mode and entering bootup commands manually.

Re: How do I prevent Grub command-line boots?

Passwords are important. Manually booting from the grub command-line is not difficult and only takes a few keystrokes.

Re: How do I prevent Grub command-line boots?

I think is one of a class of security risks that all fall under the heading "What could happen if a bad guy gets physical access to the computer?".

IMHO, having a handful of bootable USB sticks with 3 or 4 different Linuces available, the only thing that would stop me is a BIOS that is password-protected. And even then, with a screwdriver and a few minutes to find the "reset BIOS to defaults" jumper on the motherboard, I think I can get into it. Or else just pull the hard drives and take them home with me. So what you do to protect the boot menu is kinda-sorta irrelevant, in the context of a thief with physical access.

Re: How do I prevent Grub command-line boots?

Security is always important. See this excellent PC World article about the scenario I am describing:

http://www.pcworld.com/article/11472...n_your_pc.html

I consult hospitals. There are a variety of IT professionals who can (and need to) access the datacenter for a variety of reasons. They might work with some servers but it is important to secure the other servers that they shouldn't access.

It's pretty difficult to lock some servers in a closet while others are being worked on.

Hospitals aren't like the military.

Re: How do I prevent Grub command-line boots?

Just because we can't stop all hackers, doesn''t mean we should make it easy

Anyway, this http://www.ubuntugeek.com/startup-ma...d-usplash.html, say it prevent editing, not sure 'bout command-line

Re: How do I prevent Grub command-line boots?

I've read that link and have tried all the suggested methods in it. Further, it uses a GUI add-on app, and some of my servers are headless.

Re: How do I prevent Grub command-line boots?

Have you tried BURG?

Re: How do I prevent Grub command-line boots?

Actually, I'm a sysadmin for a Department of Defense agency and computer security makes up about half of my job description. I do this stuff for a living and your tax dollars pay my salary.

Physical security is and always will be the most important factor in information assurance - and it really doesn't matter whether you agree or not, they teach that in INFOSEC 101. If someone can get physical access to your machine they can own the thing - it's that simple.

To answer some of your other observations -

A bootloader password won't help that at all, so we're gonna call this a straw man argument and get back to securing servers over which we do have physical control.

First, as above physical security is paramount. How would somebody "manage to get" physical access to a properly secured server?

You don't allow disgruntled employees access to your server hardware or your data. You perform background checks on your sysadmins *before* you grant them access and the *first* thing you do when you have a problem with an employee is revoke his access. If you can't trust someone who has that kind of access you fire them - it's that simple. And - you revoke their access *before* you fire them.

And you never, ever let sysadmins audit server security. They enforce security protocols, but your security audits should never be done by the same people who manage the servers. You hire someone to run a Retina scan against your servers and give *you* the report - then when your sysadmins say they've remediated all the deficiencies you run a verification scan just to make sure they've done their job.

If your data is that sensitive you compartmentalize it. You don't grant someone more access than they require to do their job - the person running your mail server doesn't need access to your database servers and the people managing print servers don't need access to either. You minimize your exposure and again, you don't have anybody running your network that you can't trust. There shouldn't be more than a couple of people with the keys to everything.

Again, why is this server in a location where a casual passerby can do anything at all?

Re: How do I prevent Grub command-line boots?

For protecting grub2 with a password, see the links at the bottom of the post, but first things first:

Firstly, I'll emphasize (like others have done) that protecting grub with a password does very little to protect a machine from a local intruder (with physical access)...in some scenarios it might make sense (when a number of other security measures are also used), but as a general rule it only creates a false sense of security.

Passwords usually offer a fairly good protection against remote access (of course one cannot get to GRUB remotely), but physical access is root access.

Production servers are always secured from physical access...always (if they aren't you can't even talk about security). Of course the authorized admins have access to them, but a bootloader password does nothing to protect the servers from authorized access (nor will it protect against unauthorized access by people who have the means to break through the physical security measures).

Are we talking servers or desktops here? If a casual passerby can get to your server, you're toast. And why would there be a keyboard attached to it (or the possibility to attach one).

If you mean a desktop, then this could be an issue, but a bootloader password means nothing if booting from external media is not disabled in the BIOS and the BIOS is not password protected. (Those won't make the computer secure either, but of course help in slowing down an intruder).

For desktop data security, you need encryption (which isn't 100% safe either).

---

If you want to protect grub2 with a password (which, like I said, may make sense in some cases, but is relatively useless in most cases), you can find a short howto here and the GRUB2 manual has more up-to-date information (including how to create and set hashed passwords).

Setting up a superuser password will protect both edit and command-line mode with that password.

Re: How do I prevent Grub command-line boots?

You know, even if a high-dollar security setup isn't an option there are a lot of things you can do to secure a server. Server-class machines should be located in locked racks in a secured area - but if we've got desktop PCs performing server duty (I really have a hard time calling something like that a server) there's still a lot you can do -

• set a BIOS password
• disable and/or disconnect optical drives and USB ports
• padlock the case shut
• bolt the server to the floor or to a table

Nobody who works for me needs access to server optical drives or USB ports once they're done building the server. If they need to install software on a server they map an optical drive from their workstation or copy the contents of the CD to a network drive and RDP into the server to install the software.

I know people who epoxy USB ports shut on classified systems. I'm content to just disable the interfaces and physically secure the machine.

Re: How do I prevent Grub command-line boots?

The computers already have hard drive access password-protected (and the password stored in the BIOS). If a hard drive is removed from the computer, it cannot easily be accessed by merely plugging it into another computer whose BIOS does not have the correct password.

Also, BIOS is already protected from external media or PXE-LAN boots. Still, when Grub isn't protected by a password, it is possible to use it to circumvent the BIOS restrictions.

The Grub2 Manual link provided (here) seems to have the best instructions for Grub2.

(The other link's instructions instructions are far too involved for my purposes.)

In short, edit /etc/grub.d/40_custom:

sudo kate /etc/grud.d/40_custom

and add the lines

set superusers="user1"
# password_pbkdf2 user1 grub.pbkdf2.sha512.10000.biglongstringof encryptedpassword
password user1 unencryptedpasswordhere

where "user1" will be the user with permission to access the Grub2 command-line (or menu editing functions) and unencryptpasswordhere will be the password required to access the Grub2 command-line. (The commented line is if a pbkdf2 encrypted password will be used).

Then
sudo update-grub

as usual.

This method is quite easy.

Re: How do I prevent Grub command-line boots?

I gave it a try, and works as advertised on my end (with grub2 version 1.99).

howto test quickly:

1. append to /etc/grub.d/00_header:

cat << EOF
set superusers="admin"
password admin adminpw
EOF

2. run 'sudo update-grub'

After that you need to enter admin (username) and adminpw (password) to enter edit or commandline mode in grub.

NOTES:
- that only protects edit and commandline mode. If you also want to protect existing menu items, you'll have to set those up as well (it's also possible to disable the creation of "recovery mode" menu items in grub configuration /etc/default/grub)
- you'll likely want to have a hashed password instead of clear text.
- you can probably use a separate file (like /etc/grub.d/02_grubsecurity) instead of 00_header so you don't have to redo the edit if 00_header is changed during upgrade.