This part applies for those who use GRUB as their boot loader. GRUB is another boot loader like LILO but with many more useful feature and power. One of its main advantages compared to LILO is the fact that it provides a small shell interface to manage the operating system. Also, it doesn’t need to be updated each time you recompile a new kernel on your server.
GRUB is very important since it is the first software program that runs when the computer starts and we have to secure it as much as possible to avoid any possible problem. In its default installation it’s already well protected and below I explain how its configuration file is made. In regard to LILO, GRUB is really easy to use and configure. Below is a default GRUB configuration file and security I recommend you to apply. The text in bold are the parts of the configuration file that must be customized and adjusted to satisfy our needs.
• Edit the grub.conf file (vi /boot/grub/grub.conf) and set your needs. Below is what we recommend you:
default=0
timeout=0
splashimage=(hd0,0)/grub/splash.xpm.gz
password --md5 $1$oKr0ÝmFo$tPYwkkvQbtqo1erwHj5wb/ title Red Hat Linux (2.4.18-3)
root (hd0,0)
kernel /vmlinuz-2.4.18-3 ro root=/dev/sda5 initrd /initrd-2.4.18-3.img
This tells the grub.conf file to set itself up for this particular configuration with: default=0
The option “default” is used to define the default entry of the configuration file. The number “0” mean that the following parameters are the default entry for the configuration of GRUB. In a server configuration where Linux is the only operating system to boot, the default entry of “0” will be the only one to use and we don’t need to define any additional entry.
timeout=0
This option “timeout” is used to define the timeout, in sec seconds to wait, before automatically booting the default entry. As for LILO, one of the requirements of C2 security is that this interval be set to 0 unless the system dual boots something else. One of the disadvantages to set this option to “0” is that you will no longer be able to have access at boot time to the shell interface of the software but this is not really a problem since all we need from the GRUB software is to boot our operating system.
splashimage=(hd0,0)/grub/splash.xpm.gz
This option “splashimage” is an option added by Red Hat to boot the system with a graphical image. The value is the path of the compressed image to use when booting GRUB. It’s to you to keep this parameter on your system or to remove it. If you want to remove it, just delete the above line with the compressed image from your server.
password --md5 $1$bgGCL/$4yF3t0py.IjU0LU.q7YfB1
This option “password” is used to inform GRUB to ask for a password and disallows any interactive control, until you press the key <p> and enter a correct password. The option --md5 tells GRUB that a password in MD5 format is required as a value. If it is omitted, GRUB assumes the specified password is in clear text.
When we have installed the operating system, we have already configured GRUB with a password protection. This password is what you see here. If you want to change it, you have to use the “grub-md5-crypt” command to generate a new encrypt password it in MD5 format.
• This can be done with the following command:
[root@dev /]# grub-md5-crypt
Password:
Once the above command has been issued, you have to cut and paste the encrypted password to your configuration file.
title Red Hat Linux (2.4.18-3)
This option “title” is used to define a name to the contents of the rest of the line. It is directly related to the default boot entry. What you enter here is what you will see during boot time. This option is useful when we have more than one OS to start on our computer and allow us to give the name that we want to distinguish them. You are free to enter whatever name you like. root (hd0,0)
This option “root” is one of the most important parameter with GRUB and without it nothing will work. It is used to define the current root device to use for booting the operating system. Its definition and configuration is a little bit special as you can see. Here is an explanation of its meaning. The “hd0” parameter represents using the entire disk and the “hd0,0” represents using the partition of the disk (or the boot sector of the partition when installing GRUB). Don’t be
confused here because “hd” is valid for IDE and SCSI drives. There is no difference; you always use “hd” even on SCSI drive.
kernel /vmlinuz-2.4.18-3 ro root=/dev/sda5
This option “kernel” is used to load the primary boot image (our kernel). The parameter to this option is simply the path where GRUB should find the kernel image from which we want it to boot. The additional lines are to inform it that kernel image is located on the sda5 partition on our server and that we want to load it as read only for security reason.
initrd /initrd-2.4.18-3.img
This option “initrd” is optional and will appear into your GRUB configuration file only if you run a SCSI computer. For IDE computer, this option is not required and should not be defined inside the configuration file of GRUB. The parameter simply informs GRUB software where our initial ram disk image is located on the server. GRUB reads this initial ram disk and loads it during startup.
The /etc/services file
The port numbers on which certain "standard" services are offered are defined in the RFC 1700 "Assigned Numbers". The /etc/services file enables server and client programs to convert service names to these numbers (ports). The list is kept on each host and it is stored in the file /etc/services. Only the "root" user is allowed to make modifications to this file. It is rare to edit the /etc/services file since it already contains the more common service names / port numbers. To improve security, we can set the immutable flag on this file to prevent unauthorized deletion or modification.
• To immunize the /etc/services file, use the following command: