The master boot record (MBR) is a small, dedicated section at the beginning of the hard disk which holds the boot information and partition layout for the whole disk. The MBR itself is only a single physical sector in lenght (512 bytes)
Showing posts with label Linux kernel. Show all posts
Showing posts with label Linux kernel. Show all posts
Monday, January 23, 2012
Why and How to password Protect Linux Grub
GRUB is the 3rd stage in the Linux Boot Process that we discussed earlier.
Grub security features allows you to set a password to the grub entries. Once you set a password, you cannot edit any grub entries, or pass arguments to the kernel from the grub command line without entering the password.
It is highly recommended to set GRUB password on any critical production systems as explained in the article.
On a system where GRUB is not secured with the password, the following message will be displayed right under the GRUB menu during the system startup.
"
Press enter to boot the selected OS,
'e' to edit the commands before booting,
'a' to modify the kernel arguments before booting, or
'c' for a command-line
"
As you see from this message, anybody who is in front of the console rebooting the server, can edit the grub commands, or even modify the kernel arguments, which probably will cause problems, if someone who doesn’t know what they are doing, plays around with this on production systems.
Enter the Password command in grub.conf
/boot/grub/grub.conf contains information about the entries that are displayed in the GRUB menu during system startup. On some systems, /etc/grub.conf is a symbolic link to /boot/grub/grub.conf.
Add the following “password” line to the grub.conf file
"
$ cat /etc/grub.conf
default=0
timeout=15
password GrbPwd4SysAd$
..
"
Once the “password” command is added to the grub.conf, the following message will be displayed right under the GRUB menu during the system startup.
"
Press enter to boot the selected OS or
'p' to enter a password to unlock the next set of features.
"
Encrypt password using grub-crypt
You can use grub-crypt utility to create an encrypted password.
"
# grub-crypt
Password: GrbPwd4SysAd$
Retype password: GrbPwd4SysAd$
^9^32kwzzX./3WISQ0C
"
Modify the grub.conf file, add the “password” entry with the –encrypted argument as shown below.
"
$ cat /etc/grub.conf
default=0
timeout=15
password --encrypted ^9^32kwzzX./3WISQ0C
..
"
By default, the grub-crypt command encrypts the password using SHA-512 algorithm. You can also
encrypt the password either using SHA-256 or MD5 alrogithms as shown below.
"
# grub-crypt –sha-256
# grub-crypt –md5
"
You can also use md5crypt to encrypt the password. In that case, you should use “password –md5 encrypted-password” in your grub.conf file.
What is linux kernel
"The kernel constitutes the core part of the linux operating system."
Kernel Duties
Three kernel virsions available for x86
#modprobe can load and unload module
#insmod will also load dependencies automatically
#modprobe -r To remove a currently loaded module
Kernel Duties
- System initialization :-- Detects hardware resources and boots up the system.
- Process Scheduling :-- Determines when processes should run and for how long.
- Memory Management :-- Allocates memory on behalf of running processes.
- Security :-- Constantly verifies filesystem permissions, SELinux contexts and firwell rules.
- Provides buffers and caches to speed up hardware access.
- Implements standard network protocols and filesystem formats.
Three kernel virsions available for x86
- Regular :-- One or more processors but 4GB Ram or less.
- PFA :-- Multiple processors and up to 64GB of ram.
- Xen :-- Needed for virtualization
- Kernel always installed under /boot/vmlinuz
- kernel modules are located under /lib/modules/.
- Some basic Commands
#modprobe can load and unload module
#insmod will also load dependencies automatically
#modprobe -r To remove a currently loaded module
Subscribe to:
Posts (Atom)