Skip to content

Practice Exercise: Securing the Boot Process and Hardware Resources in Linux

Objectives

  • Learn about securing the boot process to protect against unauthorized access.
  • Understand methods to secure hardware resources and prevent unauthorized access.
  • Explore techniques for enhancing local security principles in Linux.

Scenario

Securing the boot process and hardware resources is essential for maintaining the overall security of a Linux system. In this exercise, you will delve into the principles of securing the boot process and learn about strategies to protect hardware resources from unauthorized access. These practices will help ensure the integrity and confidentiality of your Linux systems.

Tasks

Task 1: Secure Boot Process

  • Explain the importance of securing the boot process in Linux.
  • Discuss potential vulnerabilities during the boot phase.
  • Describe methods to protect the boot loader and boot configuration.
  • Demonstrate how to set a boot loader password to prevent unauthorized changes. 
    [intern@intern-a1t-inf-lnx1 ~]$ sudo cat /etc/default/grub 
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=0
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="console=ttyS0,19200n8 net.ifnames=0 scsi_mod.scan=sync crashkernel=auto rhgb "
GRUB_DISABLE_RECOVERY="true"
GRUB_ENABLE_BLSCFG=true
GRUB_TERMINAL=serial
GRUB_DISABLE_OS_PROBER=true
GRUB_SERIAL_COMMAND="serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1"
GRUB_DISABLE_UUID=true
GRUB_GFXPAYLOAD_LINUX=text
  • Setting up grub password may differ depending on the Linux distro you're using. Here's how to do it on CentOS: 
    [intern@intern-a1t-inf-lnx1 ~]$ sudo grub2-setpassword
[intern@intern-a1t-inf-lnx1 ~]$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
  • To check if the password was set you can see it in /boot/grub2/user.cfg 
    GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.<redacted>
  • To remove the grub password protect simply remove/delete the /boot/grub2/user.cfg file.

Task 2: Kernel Security

  • Explore kernel security features and their significance.
  • Discuss techniques for restricting kernel parameters using boot options.
  • Explain how to limit kernel module loading and set module loading parameters.
  • Demonstrate how to configure kernel security settings. 
    [intern@intern-a1t-inf-lnx1 ~]$ sudo sysctl -a | grep kernel | tail
kernel.unprivileged_bpf_disabled = 2
kernel.unprivileged_userns_clone = 1
kernel.usermodehelper.bset = 4294967295 511
kernel.usermodehelper.inheritable = 4294967295  511
kernel.version = #1 SMP PREEMPT_DYNAMIC Wed Apr  5 15:30:32 EDT 2023
kernel.warn_limit = 0
kernel.watchdog = 1
kernel.watchdog_cpumask = 0
kernel.watchdog_thresh = 10
kernel.yama.ptrace_scope = 0

[intern@intern-a1t-inf-lnx1 ~]$ sudo sysctl -a | grep randomize
kernel.randomize_va_space = 2

[intern@intern-a1t-inf-lnx1 ~]$ sudo sysctl -w kernel.randomize_va_space=4
kernel.randomize_va_space = 4
[intern@intern-a1t-inf-lnx1 ~]$ sudo sysctl -a | grep randomize
kernel.randomize_va_space = 4
  • To make changes persist between reboot, edit the /etc/sysctl.conf and add the kernel.randomize_va_space = 4 line: 
    [intern@intern-a1t-inf-lnx1 ~]$ sudo vim /etc/sysctl.conf
...
<edit output redacted>
...

[intern@intern-a1t-inf-lnx1 ~]$ cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.randomize_va_space = 4
  • Reboot the host 
    [intern@intern-a1t-inf-lnx1 ~]$ sudo reboot
  • Once the host is up again, check if the kernel.randomize_va_space parameter has been retained 
    [intern@intern-a1t-inf-lnx1 ~]$ sudo sysctl -a | grep kernel.randomize_va_space
kernel.randomize_va_space = 4

Conclusion

Securing the boot process and hardware resources is fundamental to maintaining the security of a Linux system. In this exercise, you've learned about securing the boot loader, kernel, hardware resources, BIOS/UEFI firmware, and hardware access control. By implementing these practices and following local security best practices, you can enhance the overall security of your Linux systems and protect against unauthorized access.