System Security

A typical technician can actually put a password for the computer BIOS to protect access to hardware of the system to make changes. He may also disallow any bootable media supported by the BIOS such as floppy or usb which is certainly a security threat. However, I wouldn’t recommend putting a password when rebooting the system if the admin will from time to time reboot the system remotely as of course it will require physical access, its up to the admin though.

The very next step after booting from the BIOS is the operating system security whether it be Linux or Windows,the logins can somehow suffice as its configured during the installation so by default at least it will protect the system from mal users. In the case of Linux, Grub Boot Loader security will be very important. The implementation of GRUB permits any user to circumvent the system security by choosing the root enabled shell which is exactly what the GRUB will provide in its default implementation. This is by simply modifying the kernel line to boot in the single user mode and it will process init to set up the environment in conjunction with the kernel to run runlevel 1 which provides a root shell with no authentication.

To prevent this from happening, GRUB provides a utility to protect itself from the modification of boot up sequence by running the ./grub-md5-crypt script located under /sbin. This utility will allow the admin to specify a password which will then prompt an md5 hash password to be compared when a malicious user edits GRUB to boot certain runlevels.
#grub-md5-crypt
Password:
Re-type password:
$1HgjTdgCLWeRtoBtsdFrSeLkIdWeYsDaMjLoPjFc3

After specifying your password, edit the /boot/grub/grub.conf

default 0
timeout 10
password --md5 $1HgjTdgCLWeRtoBtsdFrSeLkIdWeYsDaMjLoPjFc3
title openSUSE 10.2
root (hd0,1)
kernel /boot/vmlinuz-...
initrd /boot/initrd.img-...

This option by way don’t work on GRUB2. So if you are using newer Ubuntu derivatives, you probably don’t have this utility.