3.3 Physical Actions
DANGER LEVEL
Several well-known ways that crackers take over a system from the keyboard are discussed here.7 Only some of the intrusions require access to the system's floppy or CD-ROM drives. Certainly, high-security systems should be kept in locked rooms but even in most engineering labs that are considered reasonably secure, there are enough unfamiliar faces that someone could pop a rogue floppy into a system without being noticed. Certainly, if an intruder has time, she simply could take the cover off a box and steal the disk containing proprietary data. Most laptop disks are tiny and with a little practice can be removed in under a minute and hidden in a pocket. Keep that in mind the next time you are on the road.
Confidential data on laptops and other systems that could be compromised always should be stored on disk in encrypted form. PGP is quite popular for this. There are some hardware cards available for encrypting all data going to a disk and decrypting data read from it, so that if someone steals the disk, they cannot read your data. See "Encrypted Disk Driver" on page 274 for discussion on a Linux device driver that automatically encrypts all data written to the disk, including data written to the swap partition.
In March of 2000, Intel announced a new laptop security system using a new chip set. It is expected to become quite popular. Do not be paranoid, but there is the keyboard ghost that is capable of recording up to 500,000 keystrokes on a keyboard without the user knowing.
http://www.keyghost.com/See "Law of the JunglePhysical Security" on page 121 to learn how to keep them away.
3.3.1 Booting an Intruder's Floppy or CD-ROM
DANGER LEVEL
If a cracker can get physical access to your system, unless you have taken special precautions, he merely needs to insert his bogus floppy, tape, or CD-ROM into your system and type Ctrl-Alt-Delete, momentarily unplug your system, press the reset button, or pull a circuit breaker, to get his rogue operating system without all your carefully installed security enhancements. Note that this will work even if you disable the keyboard and reset button.
Within a minute he "owns" you. Think about your physical environment for a moment. Do you periodically see people near the computers that you do not recognize but do not interrogate because you assume they are someone's boyfriend, roommate, or the guy in to fix the copier again? Inside of 10 seconds, he could pop in a floppy and hit the reset button or wiggle the power cord and be heading out of the building because he does not even need to wait for the boot sequence to finish.
3.3.2 CMOS Reconfiguration
DANGER LEVEL
The solution to physical intrusions and intruder boot floppies is for you to boot up and enter the CMOS configuration screen, commonly done by pressing the Delete key when prompted. The commands discussed here are specific for the Award® brand of BIOS. This brand of BIOS is in many PCs. The AMI® approach is similar. If yours is different, probably it, too, will be similar. If not, perhaps there is a manual around or help on the manufacturer's Web site. A common prompt message is
Press DEL to enter SETUP
Then press the down arrow until the menu selection
BIOS FEATURES SETUP
is highlighted and hit Enter. Of the bewildering menu of options, select
Boot Sequence
by pressing the down arrow until this item is highlighted and press Enter. This is the sequence of devices that the machine will try to boot from.
For those blissfully ignorant of the DOS world, device "A" is the first floppy drive (also called a diskette and usually the top unit as opposed to the bottom unit), device "B," if any, is the second floppy. Device "C" is the hard disk, and for those living large, device "D" is the second hard disk. Most recent BIOS versions also offer "SCSI" and "CD-ROM."
Press the + key, or, possibly, the PageUp key, repeatedly until it displays the single device that you normally will boot from, usually "C" or "SCSI." You do not want to select the option "C, A" because then if an intruder can trash the hard disk Master Boot Record (MBR) she can force the machine to boot from the floppy. If a subsequent corruption problem requires booting from a set of rescue disks (floppies), you can change this device order in the CMOS settings at that time. Press the Esc (Escape) key to exit this menu and return to the main menu. Then follow the instructions for saving the changes and exiting; commonly this is pressing the F10, Y, and Enter keys.
Also, it is a good idea to configure the CMOS to disable all serial and parallel devices that you do not need. This will prevent someone from connecting a modem to a serial port or connecting a floppy drive, zip drive, or CD-RW burner to the parallel drive.
3.3.3 Adding a CMOS Password
DANGER LEVEL
To prevent an intruder from altering the CMOS settings that you have configured for security and correct operation, you need to add a CMOS password by following the steps below. This will cause the CMOS code to ask for this password before doing anything of significance.
Reboot your system and, when prompted, press the Delete key to get into the CMOS menu. A common prompt for this is Press DEL to enter SETUP.
Move the down arrow until a menu selection is highlighted that reads something like CMOS Password or SUPERVISOR PASSWORD.
Press Enter and enter the desired password. Immediately write the password down and file it securely where you will remember to look for it at 3 A.M. in a year's time when you need to boot from rescue disks. Enter the password a second time.
Move the down arrow until the menu selection SAVE & EXIT SETUP is highlighted, press Enter, Y, and a second Enter (or F10, Y, Enter).
Now an intruder will be unable to alter the CMOS settings, say, to enable booting off a floppy to get control of the system with his own UNRescue Disks.
What if an intruder sets a CMOS password after changing the CMOS settings to only boot from nonexistent hardware? What if the other SysAdmin forgot to tell you the password before his vacation in the Outback?
Some motherboards have a jumper that can be set temporarily to erase the CMOS password. Some will turn off the password if the Insert button is held down while booting. With still others, you simply remove the CMOS battery (with the system powered down) for 30 seconds or so. Physical security is required to prevent these intrusions. Keep in mind that removing the battery will cause other important configuration settings to be lost too. (It is a really good idea to record the BIOS settings of each of your systems somewhere.)
3.3.4 Defending Against Single-User Mode
DANGER LEVEL
Linux normally boots up multiuser mode. This allows for a secure system because it skips single-user mode where a root shell would be offered without the bother of entering the root password.8 Sometimes a system will not complete the boot-up sequence to multiuser mode either due to an error in the configuration or due to corruption in the root partition. To allow one to "get control" of such a system, LILO9 allows one to request that Linux come up in single-user mode. Instead of lots of daemons coming up, in single-user mode /etc/init brings up only a few things. To boot into single-user mode, at the LILO prompt type linux single instead of linux.
Red Hat and most other distributions do invoke fsck and do more operations than they should. Most UNIX versions do an absolute minimum when starting single-user mode to minimize problems in the event of file system corruption or misconfiguration.
There are a few different ways to prevent this. All of them involve making changes to LILO's configuration file that typically is stored in /etc/lilo.conf and then issuing the command lilo to store these instructions in the Master Boot Record (MBR). Although a reboot is not strictly necessary, you certainly will want one to verify that the changes worked.
The most flexible method is to require that a password be entered if boot options are passed to the boot loader. This is particularly useful because it prevents unauthorized personnel from booting into single-user mode while allowing anyone to boot multiuser mode, say, after a crash. Add the following two lines. Either may be either global or per-image.
restricted password=secret
Be sure that the configuration file can be read only by root via
chmod 600 /etc/lilo.conf chown root /etc/lilo.conf
Another way to guard against single-user mode is to not allow anyone to issue any commands to LILO at the keyboard by setting a timeout of zero with the following option in global commands section at the top of /etc/lilo.conf. (This is a requirement for Orange Book C2 security.)
timeout=0
Finally, disallow automatic rebooting by adding the line
prompt
to /etc/lilo.conf, in the global commands section at the top (before the per-image sections). Thus, if a cracker somehow found a way to remotely alter the Master Boot Record, installed a new kernel, or otherwise arranged to create havoc, she cannot boot the new system configuration. Naturally, because Linux is so reliable you should investigate after any crash for the off chance that it was cracker-induced.
All of the entries in /etc/lilo.conf that someone could select, that is, bootable systems, need to be securely-configured kernels, such as Linux kernels or similar. In other words, none of them should offer single-user mode or file systems with lax file permissions. None should be insecure operating systems. For those on non-Intel hardware, there may be similar capabilities.
3.3.5 Defeating Theft by Floppy
DANGER LEVEL
Most people do not take floppies very seriously any more. After all, a 3-1/2-inch floppy holds only 1.44 MB; it would take 14,000 of them to store the data of a common 20 GB disk. Still, it would hold the name, home address, home phone number, and job title of about 10,000 employees, without even using compression, and could make a headhunter (recruiter) very happy. A floppy could hold a lot of source code, customer lists, or specifications. Plenty of company data has been stolen this way over the years.
Some other ways of stealing data include connecting a modem to a serial port and sending data that way or plugging a printer, parallel-port CD-ROM burner, or disk drive into the parallel port and printing or copying the data that way. Do consider the possibilities that USB offers, too. The solution to these problems is to enter the CMOS menu as discussed in the past few sections and disable the peripheral devices that are not needed.
3.3.6 Defeating Ctrl-Alt-Delete Attacks
DANGER LEVEL
The fixes discussed previously will prevent a physical intruder from being able to intrude after forcing a reboot but forcing the system to shut down certainly is a DoS attack. On unprotected systems, the standard Ctrl-Alt-Delete sequence will shut the system down in a few seconds.
This sequence can be disabled by commenting out the default entry in /etc/inittab (that has the ctrlaltdel tag) that allows it so that it looks like the following:
#no C-A-D: ca::ctrlaltdel:/sbin/shutdown -t5 -rfn now
After editing /etc/inittab you need to tell init to reread it with the command
telinit q
Alternatively, the shutdown command could be replaced with another one, perhaps a shell script generating e-mail, that will notify you either that a user new to Linux needs your help or someone evil is at the keyboard.
Although there is a /proc/sys/kernel/ctrl-alt-del file starting in the 2.2 kernel, toggling its value between 0 and 1 does not seem to inhibit the system from rebooting when it is given the three-finger salute.