Wise people learn when they can; fools learn when they must - Arthur Wellesley

Sunday, 21 October 2018

LINUX- 49 SECURITY & HARDENING (BASICS) -P4 (PHYSICAL SECURITY)


              LINUX- 49 SECURITY & HARDENING (BASICS) -P4
IN LINUX (RHEL6 & RHEL7),

USER/LOGIN SECURITY
NETWORK SECURITY
FILE / OPERATING SYSTEM SECURITY
PHYSICAL SECURITY
LOG EVERYTHING
LOG FILE SECURITY

We already covered USER, NETWORK, & FILE/OPERATING SYSTEM SECURITY. Let’s start with PHYSICAL SECURITY.

User/Network/File & Operating system security is already implemented, then why physical security is required?


Try to understand a basic thing, we are trying to save from unknown which have no access of system. To save our system from any remote access we implemented too many things, if unauthorized remote access can do such harm then just imagine what a physical access can do. Once having physical access and everything is done, we are completely compromised.

Apart from data center security we can have following to consider,

Locking Down the BIOS
Disable booting from CD/DVD, External Devices, Floppy Drive in BIOS
Disable USB Storage to Detect
Disable Ctrl+Alt+Delete
Protect GRUB with Password
Protect Single User Mode with Password
Backups

Locking Down the BIOS

The BIOS (Basic Input/Output System) or its successor UEFI (Unified Extensible Firmware Interface) is the lowest level of software/firmware that dictates system configuration and low-level hardware
GRUB 2 and other Linux boot loaders access the BIOS to determine how to boot the host. BIOS can be configured to help prevent attackers from being able to reboot the host and manipulate the system.

Let’s set password for BIOS,
Reboot the system and enter BIOS, go to Security
Here we can see, there is Clear flag in front of passwords, means no password set.



 Set both the User & Supervisor passwords,
**(User/Supervisor password explained later)



After setting both passwords, enable on boot



Finally, it will look like,


Save the configuration and boot the system.


We will get below screen before booting.




Supervisor password restricts who can get into the BIOS setup screens. User password restricts who can continue the bootup process after the BIOS has loaded its bootstrap loader (and before any operating system gets loaded). One controls access to the BIOS setup, the other controls the bootup. Basically, Supervisor has unrestricted access to the BIOS. User can't change most settings.


Disable booting from CD/DVD, External Devices, Floppy Drive in BIOS

Disable USB Storage to Detect

[root@rhel7-server ~]# lsmod | grep -i usb_storage
usb_storage            66305  0

We can either uninstall usb driver or blacklist usb storage.

[root@rhel7-server ~]# modprobe -r usb-storage
[root@rhel7-server ~]# lsmod | grep -i usb_storage

Permanently remove the driver,

# mv -v /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root/
‘/lib/modules/3.10.0-121.el7.x86_64/kernel/drivers/usb/storage/usb-storage.ko’ -> ‘/root/usb-storage.ko’

Now if I try to install the usb module,

[root@rhel7-server ~]# modprobe -i usb-storage
modprobe: ERROR: could not insert 'usb_storage': Unknown symbol in module, or unknown parameter (see dmesg)

I did it as it was,

# mv -v /root/usb-storage.ko /lib/modules/$(uname -r)/kernel/drivers/usb/storage/
‘/root/usb-storage.ko’ -> ‘/lib/modules/3.10.0-121.el7.x86_64/kernel/drivers/usb/storage/usb-storage.ko’
[root@rhel7-server ~]#
[root@rhel7-server ~]# modprobe -i usb-storage
[root@rhel7-server ~]# lsmod | grep -i usb_storage
usb_storage            66305  0

Blacklist the usb,

In rhel6 we have this file by default, but for rhel7 we need to create it.

[root@rhel7-server ~]# vi /etc/modprobe.d/blacklist.conf
blacklist usb-storage

reboot the system and check for usb-storage,

[root@rhel7-server ~]# lsmod | grep -i usb_storage

But root can install the usb and override blacklist setting.

[root@rhel7-server ~]# modprobe -i usb-storage
[root@rhel7-server ~]# lsmod | grep -i usb_storage
usb_storage            66305  0

Disable Ctrl+Alt+Delete

By default, pressing Ctrl+Alt+Delete in linux will lead to system reboot.

DISABLE IN RHEL6

# cp /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.conf.ORG
[root@rhel6-server ~]# vi /etc/init/control-alt-delete.conf

#start on control-alt-delete  ççComment this

#exec /sbin/shutdown -r now "Control-Alt-Delete pressed" ççComment this

DISABLE IN RHEL7

[root@rhel7-server ~]# systemctl mask ctrl-alt-del.target

Protect GRUB with Password

PROTECT GRUB IN RHEL6

[root@rhel6-server ~]# grub-md5-crypt
Password:
Retype password:
$1$Yr3d40$Eswvs6AmvRSI2zmMWelt.0  çç Note down this password

[root@rhel6-server ~]# cp /boot/grub/grub.conf /boot/grub/grub.conf.ORG
[root@rhel6-server ~]# vi /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/sda2
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
password --md5 $1$Yr3d40$Eswvs6AmvRSI2zmMWelt.0  çç insert this
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux (2.6.32-358.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=UUID=e97346c7-ec21-4169-89be-4d31a2632048 rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
        initrd /initramfs-2.6.32-358.el6.x86_64.img

PROTECT GRUB IN RHEL7

[root@rhel7-server ~]# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.54802816B75C416D2D0B9BAE52E847409225D35E076C17FBA84559A800762AE6A0224B651ECAE37286323EA6D8888A2C5DD5EE1A465134627203DFA01B474C88.5C37D67613809BA864FE8BBCC0ECE3265180700E668A18183CA5A200DE642924D01CA88650661F0C93AE38701B9A46151D3D51099AAD42BA42A17AF5BC15EF13

# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.ORG
cp: cannot create regular file ‘/boot/grub2/grub.cfg.ORG’: Read-only file system

He He He, we already made /boot as RO. Let’s change to RW

# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.ORG
[root@rhel7-server ~]# cp /etc/grub2.cfg /etc/grub2.cfg.ORG
[root@rhel7-server ~]# vi /etc/grub2.cfg

Search for following entry,

### BEGIN /etc/grub.d/10_linux ###

Paste following just under yellow marked line,

set superusers “root”
export superusers
password_ pbkdf2 root
grub.pbkdf2.sha512.10000.54802816B75C416D2D0B9BAE52E847409225D35E076C17FBA84559A
800762AE6A0224B651ECAE37286323EA6D8888A2C5DD5EE1A465134627203DFA01B474C88.5C37D67613809BA864FE8BBCC0ECE3265180700E668A18183CA5A200DE642924D01CA88650661F0C93AE38701B9A46151D3D51099AAD42BA42A17AF5BC15EF13

Now reboot the system to check,

Stop at boot screen, select kernel and press “e”
You will be prompted for username first then password.





Protect Single User Mode with Password

PROTECT SINGLE USER MODE IN RHEL6

[root@rhel6-server ~]# cp /etc/inittab /etc/inittab.ORG
[root@rhel6-server ~]# vi /etc/inittab
# Default runlevel. The runlevels used are:
#   0 - halt (Do NOT set initdefault to this)
#   1 - Single user mode
#   2 - Multiuser, without NFS (The same as 3, if you do not have networking)
#   3 - Full multiuser mode
#   4 - unused
#   5 - X11
#   6 - reboot (Do NOT set initdefault to this)
#
su:S:wait:/sbin/sulogin  çç Insert this
id:5:initdefault:

[root@rhel6-server ~]# cp /etc/sysconfig/init /etc/sysconfig/init.ORG
[root@rhel6-server ~]# vi /etc/sysconfig/init

SINGLE=/sbin/subshell çç Delete This
SINGLE=/sbin/sulogin çç Insert This

PROTECT SINGLE USER MODE IN RHEL7

[root@rhel7-server ~]# cp /etc/sysconfig/init /etc/sysconfig/init.ORG
[root@rhel7-server ~]# vi /etc/sysconfig/init
SINGLE=/sbin/sulogin çç Insert This at End

Great, let’s check

Selected the kernel and pressed “e”, add “single” at end and press “ctrl+x”


It is asking for password,



Provide the password and get login,



If I do not provide password and press “ctrl+d” it will boot to normal run level 3.



That’s Nice. It seems we succeeded in our moto. Let’s check another aspect where “SINGLE=/sbin/sulogin” is in its place at “/etc/sysconfig/init”.


Now I will do some other change instead of putting “single” at end.

Go to the marked box and change,


“ro” to “rw init=/sysroot/bin/sh” and pressed “ctrl+x”



Now see the magic,



So, in RHEL7, better to protect GRUB instead of protecting “single user mode”.

Backup

This will be last resort if everything is compromised, so don’t take it lightly and configure regular backup of all important files and config as well. Backups can be done with existing system tools like tar and scp. Another option to spare bandwidth is synchronizing data with tools like rsync. Better to have a complete tape backup

Is it done!!!!

No, at least test the backup in simulated env or in lab wherever possible…but it’s must to check.

Posted by at
Labels: , ,

1 comment:

  1. Alok singh25 December 2021 at 21:13

    Going going going...and it never ends. So much amount of precise knowledge sharing takes so much effort, i can feel it though i am the reader only.

    ReplyDelete

Subscribe to: Post Comments (Atom)