Announcement

Collapse
No announcement yet.

How do I prevent Grub command-line boots?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    How do I prevent Grub command-line boots?

    The ability to manually boot using the Grub command-line constitutes a big security risk in Linux, IMO.

    Any OS can be booted in this manner from any LAN-PXE, USB or CD/DVD drive, circumventing BIOS-imposed boot restrictions. (Once a foreign OS is booted, of course, it can be used to access any part of an unencrypted hard drive.)

    Placing passwords or locking menu items (in the Grub configuration files) does not prevent a user from booting manually using commands entered at the grub command-line.

    As it stands now, when presented with the Grub menu (or after bringing up a hidden Grub menu with the "ESC" key), a user only needs to hit "c" to enter the Grub command-line mode or "e" to edit menu entries to facilitate any type of bootup whatsoever. (They can then enter manually the Grub commands to boot an OS on any device.) This is extremely insecure and allows any passerby to boot the computer with a few keystrokes and a bootable USB drive.

    How do I configure Grub so that it will require a password in order to enter the command-line mode (and thereby restrict boot options to the menu, which can then be password protected/locked) ?

    UbuntuGuide/KubuntuGuide

    Right now the killer is being surrounded by a web of deduction, forensic science,
    and the latest in technology such as two-way radios and e-mail.

    #2
    Re: How do I prevent Grub command-line boots?

    http://ubuntuforums.org/showthread.php?t=1369019

    Please Read Me

    Comment


      #3
      Re: How do I prevent Grub command-line boots?

      Anybody savvy enough to boot your PC from a grub command line likely isn't gonna be stopped by a grub password
      we see things not as they are, but as we are.
      -- anais nin

      Comment


        #4
        Re: How do I prevent Grub command-line boots?

        Originally posted by oshunluvr
        I couldn't figure out the answer to my question in that link.

        Creating passwords for menu items (or menu item locking) does not prevent entering the command-line mode of Grub.

        Further, configuring the Grub configuration file so that it does not display the recovery mode menu items (using the GRUB_DISABLE_LINUX_RECOVERY="true" function) also does not prevent a user from entering the Grub command-line mode and entering bootup commands manually.


        UbuntuGuide/KubuntuGuide

        Right now the killer is being surrounded by a web of deduction, forensic science,
        and the latest in technology such as two-way radios and e-mail.

        Comment


          #5
          Re: How do I prevent Grub command-line boots?

          Originally posted by wizard10000
          Anybody savvy enough to boot your PC from a grub command line likely isn't gonna be stopped by a grub password
          Passwords are important. Manually booting from the grub command-line is not difficult and only takes a few keystrokes.

          UbuntuGuide/KubuntuGuide

          Right now the killer is being surrounded by a web of deduction, forensic science,
          and the latest in technology such as two-way radios and e-mail.

          Comment


            #6
            Re: How do I prevent Grub command-line boots?

            I think is one of a class of security risks that all fall under the heading "What could happen if a bad guy gets physical access to the computer?".

            IMHO, having a handful of bootable USB sticks with 3 or 4 different Linuces available, the only thing that would stop me is a BIOS that is password-protected. And even then, with a screwdriver and a few minutes to find the "reset BIOS to defaults" jumper on the motherboard, I think I can get into it. Or else just pull the hard drives and take them home with me. So what you do to protect the boot menu is kinda-sorta irrelevant, in the context of a thief with physical access.

            Comment


              #7
              Re: How do I prevent Grub command-line boots?

              Security is always important. See this excellent PC World article about the scenario I am describing:

              http://www.pcworld.com/article/11472...n_your_pc.html

              I consult hospitals. There are a variety of IT professionals who can (and need to) access the datacenter for a variety of reasons. They might work with some servers but it is important to secure the other servers that they shouldn't access.

              It's pretty difficult to lock some servers in a closet while others are being worked on.

              Hospitals aren't like the military.

              UbuntuGuide/KubuntuGuide

              Right now the killer is being surrounded by a web of deduction, forensic science,
              and the latest in technology such as two-way radios and e-mail.

              Comment


                #8
                Re: How do I prevent Grub command-line boots?

                Originally posted by dibl
                IMHO, having a handful of bootable USB sticks with 3 or 4 different Linuces available, the only thing that would stop me is a BIOS that is password-protected. And even then, with a screwdriver and a few minutes to find the "reset BIOS to defaults" jumper on the motherboard, I think I can get into it. Or else just pull the hard drives and take them home with me. So what you do to protect the boot menu is kinda-sorta irrelevant, in the context of a thief with physical access.
                Just because we can't stop all hackers, doesn''t mean we should make it easy

                Anyway, this http://www.ubuntugeek.com/startup-ma...d-usplash.html, say it prevent editing, not sure 'bout command-line
                Registered Linux User 545823

                Comment


                  #9
                  Re: How do I prevent Grub command-line boots?

                  Anyway, this http://www.ubuntugeek.com/startup-ma...d-usplash.html, say it prevent editing, not sure 'bout command-line
                  I've read that link and have tried all the suggested methods in it. Further, it uses a GUI add-on app, and some of my servers are headless.

                  UbuntuGuide/KubuntuGuide

                  Right now the killer is being surrounded by a web of deduction, forensic science,
                  and the latest in technology such as two-way radios and e-mail.

                  Comment


                    #10
                    Re: How do I prevent Grub command-line boots?

                    Originally posted by perspectoff
                    I've read that link and have already tried all the suggested methods in it. My reply is the same as already posted. Passwords only apply to the menu, not to the command-line.
                    Have you tried BURG?
                    ASROCK Z87 Pro4 - i5 4670K - R9 270x ☞ Triple Boot: KDE NEON ★ Windows 10 ★ Windows 7

                    Comment


                      #11
                      Re: How do I prevent Grub command-line boots?

                      Originally posted by perspectoff
                      ...You seem to pooh-pooh the importance of passwords. I suppose you don't see a reason to use a password for your online banking, either, right?
                      Actually, I'm a sysadmin for a Department of Defense agency and computer security makes up about half of my job description. I do this stuff for a living and your tax dollars pay my salary.

                      Physical security is and always will be the most important factor in information assurance - and it really doesn't matter whether you agree or not, they teach that in INFOSEC 101. If someone can get physical access to your machine they can own the thing - it's that simple.

                      To answer some of your other observations -

                      Server OS instances are often hosted within virtual machines in cloud locations to which physical access cannot always be restricted.

                      The recent Amazon EC2 cloud hack against the Sony gaming servers proves that.
                      A bootloader password won't help that at all, so we're gonna call this a straw man argument and get back to securing servers over which we do have physical control.

                      Furthermore, database and corporate information theft is often accomplished as an inside job by a disgruntled employee who already has (or managed to get) physical access to the server hardware.
                      First, as above physical security is paramount. How would somebody "manage to get" physical access to a properly secured server?

                      You don't allow disgruntled employees access to your server hardware or your data. You perform background checks on your sysadmins *before* you grant them access and the *first* thing you do when you have a problem with an employee is revoke his access. If you can't trust someone who has that kind of access you fire them - it's that simple. And - you revoke their access *before* you fire them.

                      And you never, ever let sysadmins audit server security. They enforce security protocols, but your security audits should never be done by the same people who manage the servers. You hire someone to run a Retina scan against your servers and give *you* the report - then when your sysadmins say they've remediated all the deficiencies you run a verification scan just to make sure they've done their job.

                      If your data is that sensitive you compartmentalize it. You don't grant someone more access than they require to do their job - the person running your mail server doesn't need access to your database servers and the people managing print servers don't need access to either. You minimize your exposure and again, you don't have anybody running your network that you can't trust. There shouldn't be more than a couple of people with the keys to everything.

                      It only takes 1 minute for a casual passerby to reboot a computer, enter the Grub command-line, and type in the few commands to boot a USB drive.
                      Again, why is this server in a location where a casual passerby can do anything at all?
                      we see things not as they are, but as we are.
                      -- anais nin

                      Comment


                        #12
                        Re: How do I prevent Grub command-line boots?

                        For protecting grub2 with a password, see the links at the bottom of the post, but first things first:

                        Firstly, I'll emphasize (like others have done) that protecting grub with a password does very little to protect a machine from a local intruder (with physical access)...in some scenarios it might make sense (when a number of other security measures are also used), but as a general rule it only creates a false sense of security.

                        Passwords usually offer a fairly good protection against remote access (of course one cannot get to GRUB remotely), but physical access is root access.

                        Originally posted by perspectoff
                        Server OS instances are often hosted within virtual machines in cloud locations to which physical access cannot always be restricted.
                        Production servers are always secured from physical access...always (if they aren't you can't even talk about security). Of course the authorized admins have access to them, but a bootloader password does nothing to protect the servers from authorized access (nor will it protect against unauthorized access by people who have the means to break through the physical security measures).

                        Originally posted by perspectoff
                        It only takes 1 minute for a casual passerby to reboot a computer, enter the Grub command-line, and type in the few commands to boot a USB drive.
                        Are we talking servers or desktops here? If a casual passerby can get to your server, you're toast. And why would there be a keyboard attached to it (or the possibility to attach one).

                        If you mean a desktop, then this could be an issue, but a bootloader password means nothing if booting from external media is not disabled in the BIOS and the BIOS is not password protected. (Those won't make the computer secure either, but of course help in slowing down an intruder).

                        For desktop data security, you need encryption (which isn't 100% safe either).

                        ---

                        If you want to protect grub2 with a password (which, like I said, may make sense in some cases, but is relatively useless in most cases), you can find a short howto here and the GRUB2 manual has more up-to-date information (including how to create and set hashed passwords).

                        Setting up a superuser password will protect both edit and command-line mode with that password.


                        Comment


                          #13
                          Re: How do I prevent Grub command-line boots?

                          You know, even if a high-dollar security setup isn't an option there are a lot of things you can do to secure a server. Server-class machines should be located in locked racks in a secured area - but if we've got desktop PCs performing server duty (I really have a hard time calling something like that a server) there's still a lot you can do -
                          • set a BIOS password
                          • disable and/or disconnect optical drives and USB ports
                          • padlock the case shut
                          • bolt the server to the floor or to a table


                          Nobody who works for me needs access to server optical drives or USB ports once they're done building the server. If they need to install software on a server they map an optical drive from their workstation or copy the contents of the CD to a network drive and RDP into the server to install the software.

                          I know people who epoxy USB ports shut on classified systems. I'm content to just disable the interfaces and physically secure the machine.
                          we see things not as they are, but as we are.
                          -- anais nin

                          Comment


                            #14
                            Re: How do I prevent Grub command-line boots?

                            If you want to protect grub2 with a password (which, like I said, may make sense in some cases, but is relatively useless in most cases), you can find a short howto here and the GRUB2 manual has more up-to-date information (including how to create and set hashed passwords).

                            Setting up a superuser password will protect both edit and command-line mode with that password.
                            The computers already have hard drive access password-protected (and the password stored in the BIOS). If a hard drive is removed from the computer, it cannot easily be accessed by merely plugging it into another computer whose BIOS does not have the correct password.

                            Also, BIOS is already protected from external media or PXE-LAN boots. Still, when Grub isn't protected by a password, it is possible to use it to circumvent the BIOS restrictions.

                            The Grub2 Manual link provided (here) seems to have the best instructions for Grub2.

                            (The other link's instructions instructions are far too involved for my purposes.)

                            In short, edit /etc/grub.d/40_custom:

                            sudo kate /etc/grud.d/40_custom

                            and add the lines

                            set superusers="user1"
                            # password_pbkdf2 user1 grub.pbkdf2.sha512.10000.biglongstringof encryptedpassword
                            password user1 unencryptedpasswordhere

                            where "user1" will be the user with permission to access the Grub2 command-line (or menu editing functions) and unencryptpasswordhere will be the password required to access the Grub2 command-line. (The commented line is if a pbkdf2 encrypted password will be used).

                            Then
                            sudo update-grub

                            as usual.

                            This method is quite easy.

                            UbuntuGuide/KubuntuGuide

                            Right now the killer is being surrounded by a web of deduction, forensic science,
                            and the latest in technology such as two-way radios and e-mail.

                            Comment


                              #15
                              Re: How do I prevent Grub command-line boots?

                              Originally posted by perspectoff
                              I'll fiddle with it a bit -- my first tries didn't work. (Perhaps it only works only in the newest version of Grub2?)
                              I gave it a try, and works as advertised on my end (with grub2 version 1.99).

                              howto test quickly:

                              1. append to /etc/grub.d/00_header:

                              cat << EOF
                              set superusers="admin"
                              password admin adminpw
                              EOF

                              2. run 'sudo update-grub'

                              After that you need to enter admin (username) and adminpw (password) to enter edit or commandline mode in grub.

                              NOTES:
                              - that only protects edit and commandline mode. If you also want to protect existing menu items, you'll have to set those up as well (it's also possible to disable the creation of "recovery mode" menu items in grub configuration /etc/default/grub)
                              - you'll likely want to have a hashed password instead of clear text.
                              - you can probably use a separate file (like /etc/grub.d/02_grubsecurity) instead of 00_header so you don't have to redo the edit if 00_header is changed during upgrade.

                              Comment

                              Working...
                              X