Posted by: Anonymous Coward
on April 26, 2006 08:48 AM
Great article. I just wanted to add 3 points as I work on servers and have more stringent security needs.
1) I always change the boot order to disable booting from any device other than the hard drive. The bios must be password protected to prevent anyone with physical access from "inadvertantly" changing it back.
2) I make sure that single user mode prompts for the root password. I add the following line in<nobr> <wbr></nobr>/etc/inittab:
3) I always want my server to reboot, without intervention, to known runlevel. For a server, it is usually run level 3, 5 for a workstation. By not password protecting the default boot choice, it will always boot correctly without my being there. I still protect grub by putting a password in the global section. This prevents any editing. The other passwords in the non-standard boot configuration keep others from boooting to any of the others.
Here is a sample grub configuration from my RHEL44 setup:
#boot=/dev/hda default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz password --md5 $1$dFjAP1$9ya5OiKz/rsTMIZPt7eNn. title Normal Boot
Learn about Linux
Download Linux
Get Linux help
Added discussion
Posted by: Anonymous Coward on April 26, 2006 08:48 AM1) I always change the boot order to disable booting from any device other than the hard drive. The bios must be password protected to prevent anyone with physical access from "inadvertantly" changing it back.
2) I make sure that single user mode prompts for the root password. I add the following line in<nobr> <wbr></nobr>/etc/inittab:
su:S:wait:/sbin/sulogin<nobr> <wbr></nobr>/dev/console
3) I always want my server to reboot, without intervention, to known runlevel. For a server, it is usually run level 3, 5 for a workstation. By not password protecting the default boot choice, it will always boot correctly without my being there. I still protect grub by putting a password in the global section. This prevents any editing. The other passwords in the non-standard boot configuration keep others from boooting to any of the others.
Here is a sample grub configuration from my RHEL44 setup:
#boot=/dev/hda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
password --md5 $1$dFjAP1$9ya5OiKz/rsTMIZPt7eNn.
title Normal Boot
root (hd0,0)
kernel<nobr> <wbr></nobr>/vmlinuz-2.6.9-22.EL ro root=/dev/mapper/VolGroup00-LogVol00 3
initrd<nobr> <wbr></nobr>/initrd-2.6.9-22.EL.img
title Graphical Boot
password --md5 $1$dFjAP1$9ya5OiKz/rsTMIZPt7eNn.
root (hd0,0)
kernel<nobr> <wbr></nobr>/vmlinuz-2.6.9-22.EL ro root=/dev/mapper/VolGroup00-LogVol00 5
initrd<nobr> <wbr></nobr>/initrd-2.6.9-22.EL.img
title Single User Mode
password --md5 $1$dFjAP1$9ya5OiKz/rsTMIZPt7eNn.
root (hd0,0)
kernel<nobr> <wbr></nobr>/vmlinuz-2.6.9-22.EL ro root=/dev/mapper/VolGroup00-LogVol00 1
initrd<nobr> <wbr></nobr>/initrd-2.6.9-22.EL.img
Good luck and thanks again for the article.
#