ComputerSecurityStudent (CSS) [Login] [Join Now]




|UNIX >> Ubuntu >> Ubuntu 12.04 Desktop >> Current Page |Views: 18068

(Ubuntu: Lesson 3)

{ Hardening the Boot Loader, /boot/grub/grub.cfg }


Section 0. Background Information
  1. Background information.
    • The following lab will show you how to prevent a user from gaining unauthorized access to the server by editing the grub menu during reboot.

  2. Prerequisite
  3. Lab Notes
    • In this lab we will do the following:
      1. We will show you how to create a grub generated password.
      2. We will show you how to password protect the grub menu.

  4. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.

     

Section 1: Start Ubuntu 12.04
  1. Start Ubuntu 12.04
    • Instructions
      1. For Windows 7
        • Start --> All Programs --> VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Verify Virtual Machine Settings.
    • Instructions
      1. Click on Ubuntu 12.04
      2. Click on Edit virtual machine settings

     

  3. Set CD/DVD(IDE)
    • Instructions
      1. Click on CD/DVD(IDE)
      2. Select radio button: Use physical drive
      3. Select Auto detect from the drop down list.
      4. DO NOT CLICK THE OKAY BUTTON YET.

     

  4. Set Network Adapter
    • Instructions
      1. Click on Network Adapter
      2. Select radio button: Bridged
      3. Now, Click the OK Button.

     

  5. Start the Ubuntu 12.04 VM
    • Instructions
      1. Click on Ubuntu 12.04
      2. Click on Play virtual machine

 

Section 2: Start a Terminal, Become Root
  1. Select Environment
    • Instructions
      1. Click on the circle

     

  2. Select GNOME Classic
    • Instructions
      1. Click on GNOME Classic

     

  3. Provide Authentication
    • Instructions
      1. Supply Password

     

  4. Start up a Terminal
    • Instructions
      1. Click on the Terminal

     

  5. Become Root
    • Instructions
      1. sudo su -
      2. Enter your "student" password

 

Section 3: Password Protect the Grub Menu
  1. Navigate to the grub configuration directory
    • Instructions
      1. cd /etc/grub.d/

     

  2. Let's look at the grub configuration files
    • Instructions
      1. ls -l
    • Informational
      • 00_header:
        • Password Protection.
      • 05_debian_theme:
        • Set background and text colors, themes
      • 10_linux:
        • Locates Linux kernels based on results of the "lsb_release" command.
      • 20_memtest86+:
        • If the file /boot/memtest86+.bin exists, it is included as a menu item.
      • 30_os-prober:
        • Searches for Linux and OS's on other partitions and includes them in the menu.
      • 40_custom:
        • A template for adding custom menu entries which will be inserted into grub.cfg upon execution of the "update-grub" command. This and any other custom file must be made executable to allow importation into grub.cfg.

     

  3. Make a backup of the 00_header file
    • Instructions
      1. cp 00_header 00_header.BKP

     

  4. Create Grub Password
    • Instructions
      1. grub-mkpasswd-pbkdf2
      2. Enter a password
      3. Highlight the password
      4. Right Click and Copy

     

  5. Start up a Text Editor
    • Instructions
      1. Accessories --> Text Editor

     

  6. Paste into Text Editor
    • Instructions
      1. Edit --> Paste

     

  7. Configure Text Editor Preferences
    • Instructions
      1. Edit --> Preference

     

  8. Configure Text Wrapping
    • Instructions
      1. Uncheck "Do not split words over two lines"
      2. Click Close
    • Note(FYI):
      1. Notice that the password hash line is now word wrapping.

     

  9. Edit the 00_header file
    • Instructions
      1. vi 00_header

     

  10. Go to the last line of the file
    • Instructions
      1. Press the <Shift> and "g" keys at the same time.
        • This will place the cursor on the first character of the last line of the file.
      2. Press the <Shift> and "a" keys at the same time.
        • This will put the cursor at the end of the line after the last character of the line.
        • It will also put VI into insert mode.
      3. Press <Enter>
      4. Press <Enter>

     

  11. Password Protect the Grub File
    • Instructions (Type the follow)
      1. cat << EOF
      2. set superusers="student"
      3. password_pbkdf2 student GRUB_PASSWORD_GOES_HERE
        • Highlight and Copy the Grub Password that was pasted in the Text Editor.
      4. EOF
      5. Press the <Esc> button
      6. Type ":wq!"

     

  12. Update the Grub
    • Instructions
      1. update-grub

 

 

Section 4: Testing the Password Protected Grub Menu
  1. Reboot the machine
    • Instructions
      1. reboot

     

  2. Boot to Grub 2 Menu
    • Instructions
      1. Once you see the below vmware screen, (1) Left Click in the screen and (2) press the <Shift> key.

     

  3. The Grub 2 Menu
    • Instructions
      1. Make sure the first link is highlighted (See Below).
      2. Press "e" to edit

     

  4. Enter Username and Password
    • Instructions
      1. Enter username:
      2. Enter password:

     

  5. Welcome to the Grub Menu
    • Notes
      • Now you have successfully password protected the Grub Menu.
    • Instructions
      1. Press <Ctrl> and "x" to boot.

     

Section 5: Proof of Lab
  1. Provide Authentication
    • Instructions
      1. Supply Password

     

  2. Start up a Terminal
    • Instructions
      1. Click on the Terminal

     

  3. Become Root
    • Instructions
      1. sudo su -
      2. Enter your "student" password

     

  4. Proof of Lab
    • Instructions
      1. ls -l /etc/grub.d/00_header
      2. grep password /etc/grub.d/00_header
      3. date
      4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle

     



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth