(Ubuntu: Lesson 3)

{ Hardening the Boot Loader, /boot/grub/grub.cfg }

Section 0. Background Information

Background information.
- The following lab will show you how to prevent a user from gaining unauthorized access to the server by editing the grub menu during reboot.
Prerequisite
- Ubuntu: Lesson 1: Installing Ubuntu Desktop 12.04 LTS
Lab Notes
- In this lab we will do the following:
  1. We will show you how to create a grub generated password.
  2. We will show you how to password protect the grub menu.
Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2012 No content replication of any kind is allowed without express written permission.

Section 1: Start Ubuntu 12.04

Start Ubuntu 12.04
- Instructions
  1. For Windows 7
    - Start --> All Programs --> VMware Player
  2. For Windows XP
    - Starts --> Programs --> VMware Player
Verify Virtual Machine Settings.
- Instructions
  1. Click on Ubuntu 12.04
  2. Click on Edit virtual machine settings
Set CD/DVD(IDE)
- Instructions
  1. Click on CD/DVD(IDE)
  2. Select radio button: Use physical drive
  3. Select Auto detect from the drop down list.
  4. DO NOT CLICK THE OKAY BUTTON YET.
Set Network Adapter
- Instructions
  1. Click on Network Adapter
  2. Select radio button: Bridged
  3. Now, Click the OK Button.
Start the Ubuntu 12.04 VM
- Instructions
  1. Click on Ubuntu 12.04
  2. Click on Play virtual machine

Section 2: Start a Terminal, Become Root

Select Environment
- Instructions
  1. Click on the circle
Select GNOME Classic
- Instructions
  1. Click on GNOME Classic
Provide Authentication
- Instructions
  1. Supply Password
Start up a Terminal
- Instructions
  1. Click on the Terminal
Become Root
- Instructions
  1. sudo su -
  2. Enter your "student" password

Section 3: Password Protect the Grub Menu

Navigate to the grub configuration directory
- Instructions
  1. cd /etc/grub.d/
Let's look at the grub configuration files
- Instructions
  1. ls -l
- Informational
  - 00_header:
    - Password Protection.
  - 05_debian_theme:
    - Set background and text colors, themes
  - 10_linux:
    - Locates Linux kernels based on results of the "lsb_release" command.
  - 20_memtest86+:
    - If the file /boot/memtest86+.bin exists, it is included as a menu item.
  - 30_os-prober:
    - Searches for Linux and OS's on other partitions and includes them in the menu.
  - 40_custom:
    - A template for adding custom menu entries which will be inserted into grub.cfg upon execution of the "update-grub" command. This and any other custom file must be made executable to allow importation into grub.cfg.
Make a backup of the 00_header file
- Instructions
  1. cp 00_header 00_header.BKP
Create Grub Password
- Instructions
  1. grub-mkpasswd-pbkdf2
  2. Enter a password
  3. Highlight the password
  4. Right Click and Copy
Start up a Text Editor
- Instructions
  1. Accessories --> Text Editor
Paste into Text Editor
- Instructions
  1. Edit --> Paste
Configure Text Editor Preferences
- Instructions
  1. Edit --> Preference
Configure Text Wrapping
- Instructions
  1. Uncheck "Do not split words over two lines"
  2. Click Close
- Note(FYI):
  1. Notice that the password hash line is now word wrapping.
Edit the 00_header file
- Instructions
  1. vi 00_header
Go to the last line of the file
- Instructions
  1. Press the <Shift> and "g" keys at the same time.
    - This will place the cursor on the first character of the last line of the file.
  2. Press the <Shift> and "a" keys at the same time.
    - This will put the cursor at the end of the line after the last character of the line.
    - It will also put VI into insert mode.
  3. Press <Enter>
  4. Press <Enter>
Password Protect the Grub File
- Instructions (Type the follow)
  1. cat << EOF
  2. set superusers="student"
  3. password_pbkdf2 student GRUB_PASSWORD_GOES_HERE
    - Highlight and Copy the Grub Password that was pasted in the Text Editor.
  4. EOF
  5. Press the <Esc> button
  6. Type ":wq!"
Update the Grub
- Instructions
  1. update-grub

Section 4: Testing the Password Protected Grub Menu

Reboot the machine
- Instructions
  1. reboot
Boot to Grub 2 Menu
- Instructions
  1. Once you see the below vmware screen, (1) Left Click in the screen and (2) press the <Shift> key.
The Grub 2 Menu
- Instructions
  1. Make sure the first link is highlighted (See Below).
  2. Press "e" to edit
Enter Username and Password
- Instructions
  1. Enter username:
  2. Enter password:
Welcome to the Grub Menu
- Notes
  - Now you have successfully password protected the Grub Menu.
- Instructions
  1. Press <Ctrl> and "x" to boot.

Section 5: Proof of Lab

Provide Authentication
- Instructions
  1. Supply Password
Start up a Terminal
- Instructions
  1. Click on the Terminal
Become Root
- Instructions
  1. sudo su -
  2. Enter your "student" password
Proof of Lab
- Instructions
  1. ls -l /etc/grub.d/00_header
  2. grep password /etc/grub.d/00_header
  3. date
  4. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - e.g., echo "John Gray"
- Proof of Lab Instructions
  1. Press both the <Ctrl> and <Alt> keys at the same time.
  2. Do a <PrtScn>
  3. Paste into a word document
  4. Upload to Moodle