boot security

BIOS and Bootloader passwords

The exercise to perform

BIOS passwords

Boot your system. Look for a screen message that indicates a keystroke you can make in order to enter "bios" or "setup" or "configuration." Hit the key and see if you can get in. If so look around and see if there's a password feature that would let you apply a password whereby you would be unable to get in (or to use the facility) without giving the password. Just observe. Do not set any password nor change anything else please.

Bootloader passwords

GRUB is the default bootloader in the Fedora and RedHat distributions of linux. It's possible to apply a GRUB password to protect certain GRUB features. Let's exercise a password-preventable feature and see what might be undesirable about it. Boot your system. When you reach the GRUB screen, read the text below the menu. Press "a" to modify kernel parameters before booting. A line of text appears. Append to the end of it a space and the word "single". Then press enter and watch the system boot. It reaches a shell prompt. Find out who you are:

whoami

What password did you give to get here? Perhaps that's a security problem. Perhaps we should do something to prevent it. Here's what you can do about it:

As root, set a GRUB password.

[root@CHANG ~]# grub-md5-crypt | tee temp
Password:
Retype password:
$1$i1zbK1$b2GoV7uKOE5t9jLLGpHSY1
[root@CHANG ~]#

Enter the word "password" at the 2 prompts. The prompts and the encrypted password string will end up in the file named temp (because of "tee"). Edit file temp, removing the prompts and adding text so it reads something very similar to this (the actual password string won't be identical):

password --md5 $1$i1zbK1$b2GoV7uKOE5t9jLLGpHSY1

Insert this line into GRUB's configuration file /boot/grub/grub.conf near the top, below the "timeout" line. (Use vi's "r" command to embed the content of one file in another, or copy and paste with a GUI editor.) Now reboot once again. When you reach the GRUB screen, read the text below the menu. It has changed. It no longer offers you the "a" option to modify kernel parameters. Press "p" to elicit a password prompt. Give the password. Now observe the text below the menu.

It now requires a password to do what you did before. Before concluding, take the "password..." line you put into GRUB configuration file back out. Gain a shell either by passing "single" to the kernel as before, or booting through normally. Once in the shell, edit the line out of the file.