Wednesday, 27 February 2013

RHCSA: Single User Mode Security

In yesterday's blog post, I showed how it's possible to prevent users from making changes to the boot options by adding a password to the GRUB menu. For the extra paranoid, it's not a bad idea to prevent anonymous root login in single-user mode. The drawback to this is that you won't be able to log in and change your root password in the case that you might forget it. You'll be taking an additional step to protecting your system from those who have physical access to your machines though, so perhaps it's worth it, just make sure you don't forget your root password!

In order to prevent anonymous root login, you need to make a change to /etc/sysconfig/init. You'll see at the bottom of this file, a line that controls the login shell in single-user mode (in bold):

 [root@rhel6 ~]# cat /etc/sysconfig/init  
 # color => new RH6.0 bootup  
 # verbose => old-style bootup  
 # anything else => new style bootup without ANSI colors or positioning  
 BOOTUP=color  
 # column to start "[ OK ]" label in   
 RES_COL=60  
 # terminal sequence to move to that column. You could change this  
 # to something like "tput hpa ${RES_COL}" if your terminal supports it  
 MOVE_TO_COL="echo -en \\033[${RES_COL}G"  
 # terminal sequence to set color to a 'success' color (currently: green)  
 SETCOLOR_SUCCESS="echo -en \\033[0;32m"  
 # terminal sequence to set color to a 'failure' color (currently: red)  
 SETCOLOR_FAILURE="echo -en \\033[0;31m"  
 # terminal sequence to set color to a 'warning' color (currently: yellow)  
 SETCOLOR_WARNING="echo -en \\033[0;33m"  
 # terminal sequence to reset to the default color.  
 SETCOLOR_NORMAL="echo -en \\033[0;39m"  
 # Set to anything other than 'no' to allow hotkey interactive startup...  
 PROMPT=yes  
 # Set to 'yes' to allow probing for devices with swap signatures  
 AUTOSWAP=no  
 # What ttys should gettys be started on?  
 ACTIVE_CONSOLES=/dev/tty[1-6]  
 # Set to '/sbin/sulogin' to prompt for password on single-user mode  
 # Set to '/sbin/sushell' otherwise  
 SINGLE=/sbin/sushell  

The two lines above tell you all you need to know, change this line from SINGLE=/sbin/sushell to read SINGLE=/sbin/sulogin. Doing this will ensure that the root password is required to log in to the system and give you that extra bit of security beyond password protecting the GRUB menu.

Of course, there are other things that determined attacker can do if you don't harden your systems. A boot CD could by put in the optical drive and an alternate environment loaded from which tools can be run to get to your data. the first thing you should do in that case is disable booting from anything other than the hard disk in the BIOS and password protect it.

You could also encrypt the filesystem to prevent it being looked at by a person boting from a Live-CD. Another idea would be to disable the Ctrl-Alt-Del keypress in order to stop the system being rebooted by a person who hasn't logged in. I'll be looking at how to do these in a future blog post.

It goes without saying, of course, that the best way to stop your system from being attacked by somebody with physical access is to prevent physical access. Keep all doors to datacentres locked with a cipher lock and key if possible, put up some CCTV as a further deterrent and ensure that only trusted colleagues are able to gain access.


No comments:

Post a Comment