(Ubuntu:
Lesson 3)
{ Hardening the Boot
Loader, /boot/grub/grub.cfg }
Section 0.
Background Information |
- Background information.
- The following lab will show you how to prevent
a user from gaining unauthorized access to the server by editing the
grub menu during reboot.
- Prerequisite
-
Lab Notes
- In this lab we will do the following:
- We will show you how to create a grub
generated password.
- We will show you how to password
protect the grub menu.
- Legal Disclaimer
- As a condition of your use of this Web
site, you warrant to computersecuritystudent.com that you will not use
this Web site for any purpose that is unlawful or
that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this
product is provided with "no warranties, either express or implied." The
information contained is provided "as-is", with "no guarantee of
merchantability."
- In addition, this is a teaching website
that does not condone malicious behavior of
any kind.
- You are on notice, that continuing
and/or using this lab outside your "own" test environment
is considered malicious and is against the law.
- © 2012 No content replication of any
kind is allowed without express written permission.
Section 1: Start
Ubuntu 12.04 |
- Start Ubuntu 12.04
- Instructions
- For Windows 7
- Start --> All Programs --> VMware
Player
- For Windows XP
- Starts --> Programs --> VMware
Player
- Verify Virtual Machine Settings.
- Instructions
- Click on Ubuntu 12.04
- Click on Edit virtual machine settings
- Set CD/DVD(IDE)
- Instructions
- Click on CD/DVD(IDE)
- Select radio button: Use physical drive
- Select Auto detect from the drop down
list.
- DO NOT CLICK THE OKAY BUTTON YET.
- Set Network Adapter
- Instructions
- Click on Network Adapter
- Select radio button: Bridged
- Now, Click the OK Button.
- Start the Ubuntu 12.04 VM
- Instructions
- Click on Ubuntu 12.04
- Click on Play virtual machine
Section 2: Start a
Terminal, Become Root |
- Select Environment
- Instructions
- Click on the circle
- Select GNOME Classic
- Instructions
- Click on GNOME Classic
- Provide Authentication
- Instructions
- Supply Password
- Start up a Terminal
- Instructions
- Click on the Terminal
- Become Root
- Instructions
- sudo su -
- Enter your "student" password
Section 3: Password
Protect the Grub Menu |
- Navigate to the grub configuration directory
- Instructions
- cd /etc/grub.d/
- Let's look at the grub configuration files
- Instructions
- ls -l
- Informational
- 00_header:
- 05_debian_theme:
- Set background and text colors, themes
- 10_linux:
- Locates Linux kernels based on results of
the "lsb_release" command.
- 20_memtest86+:
- If the file /boot/memtest86+.bin exists, it
is included as a menu item.
- 30_os-prober:
- Searches for Linux and OS's on other
partitions and includes them in the menu.
- 40_custom:
- A template for adding custom menu entries
which will be inserted into grub.cfg upon execution of the "update-grub"
command. This and any other custom file must be made executable to allow
importation into grub.cfg.
-
- Make a backup of the 00_header file
- Instructions
- cp 00_header 00_header.BKP
- Create Grub Password
- Instructions
- grub-mkpasswd-pbkdf2
- Enter a password
- Highlight the password
- Right Click and Copy
- Start up a Text Editor
- Instructions
- Accessories --> Text Editor
- Paste into Text Editor
- Instructions
- Edit --> Paste
- Configure Text Editor Preferences
- Instructions
- Edit --> Preference
- Configure Text Wrapping
- Instructions
- Uncheck "Do not split words over two
lines"
- Click Close
- Note(FYI):
- Notice that the password hash line is
now word wrapping.
- Edit the 00_header file
- Instructions
- vi 00_header
- Go to the last line of the file
- Instructions
- Press the <Shift> and "g" keys at the
same time.
- This will place the cursor on the
first character of the last line of the file.
- Press the <Shift> and "a" keys at the
same time.
- This will put the cursor at the end
of the line after the last character of the line.
- It will also put VI into insert
mode.
- Press <Enter>
- Press <Enter>
- Password Protect the Grub File
- Instructions (Type the
follow)
- cat << EOF
- set superusers="student"
- password_pbkdf2 student
GRUB_PASSWORD_GOES_HERE
- Highlight and Copy the Grub
Password that was pasted in the Text Editor.
- EOF
- Press the <Esc> button
- Type ":wq!"
- Update the Grub
- Instructions
- update-grub
Section 4: Testing
the Password Protected Grub Menu |
- Reboot the machine
- Boot to Grub 2 Menu
- Instructions
- Once you see the below vmware screen,
(1) Left Click in the screen and (2) press the <Shift> key.
- The Grub 2 Menu
- Instructions
- Make sure the first link is highlighted
(See Below).
- Press "e" to edit
- Enter Username and Password
- Instructions
- Enter username:
- Enter password:
- Welcome to the Grub Menu
- Notes
- Now you have successfully password
protected the Grub Menu.
- Instructions
- Press <Ctrl> and "x" to boot.
- Provide Authentication
- Instructions
- Supply Password
- Start up a Terminal
- Instructions
- Click on the Terminal
- Become Root
- Instructions
- sudo su -
- Enter your "student" password
- Proof of Lab
- Instructions
- ls -l /etc/grub.d/00_header
- grep password /etc/grub.d/00_header
- date
- echo "Your Name"
- Replace the string "Your Name" with
your actual name.
- e.g., echo "John Gray"
-
Proof of Lab Instructions
- Press both the <Ctrl> and <Alt> keys at
the same time.
- Do a <PrtScn>
- Paste into a word document
- Upload to Moodle
|
|