is there any way to disallow changing init parameter on boot time? I want to prevent situation when someone reboot my server, edit grub entry and get access without password. Maybe some kernel parameters I can change while kernel compile?
Asked
Active
Viewed 778 times
1
-
Full disk encryption... – jasonwryan Dec 10 '14 at 22:56
-
ok, but what if I want to reboot it remotely? – KaP Dec 10 '14 at 23:07
-
http://unix.stackexchange.com/questions/37024/how-to-open-a-port-early-in-boot-process-to-unlock-luks-via-ssh – jasonwryan Dec 10 '14 at 23:32
-
A less secure but easier way is setting a password to GRUB. – user4098326 Dec 10 '14 at 23:58
1 Answers
2
If someone has physical access to your computer, they can boot from a USB key, or take out the hard drive and plug it into another computer. To prevent someone from changing boot parameters, put the computer in a locked case or locked room.
If the computer is in a locked case but its keyboard is accessible to untrusted people, then you need a software means to prevent booting with alternate parameters. This is the job of the bootloader, not the job of the kernel (the kernel isn't the software that's prompting you for parameters at boot time: it isn't even loaded into memory at that point). Be sure to forbid booting from any exposed external ports (e.g. USB, network) in the BIOS, and to set a password to access the BIOS configuration interface.
If your bootloader is Grub, activate its lockdown features: add a superusers setting to your grub.cfg, as well as password_pbkdf2 to set a password that allows accessing the command line. Be sure to add the --unrestricted option to your normal menu entry as well. See the manual for details and an example.
Gilles 'SO- stop being evil'
- 829,060