Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
  • 💬 Discuss

Securing the Console and Front Panel

The next task is to consider restricting access to a system's console. This task is useful if the server is located in a common area of a network operations center.

NOTE

These tasks do not prevent attackers with physical access from compromising systems. These methods provide incremental security, but caution must always be exercised when physical access to a system and related hardware is permitted.

This section contains the following topics:

  • "Access and Modify BIOS Configuration"
  • "Restrict Access to BIOS"
  • "Limit Front Panel, Keyboard, and Video Access"
  • "Restrict Alternate Boot Devices"
  • "Restrict Access to the LILO Boot Loader"
  • "Disable Control-Alt-Delete Reboot Key Sequence"
  • "Require Single-User Mode Password"
  • "Disable the Magic SysRq Key"
  • "Restrict Root Access to Devices"

Access and Modify BIOS Configuration

The Sun Linux 5.0 operating system is provided on the Sun LX50 system. The Sun LX50 system uses the American Megatrends, Inc. (AMI) Basic Input and Output System (BIOS). The BIOS provides security features that prevent unauthorized or accidental access to a system. When security measures are enabled, administrators and users can access the system only when they enter correct passwords. You can implement the following security measures:

  • Enable an administrator password, which is used to access and configure BIOS security options

  • Enable a user password, which can be granted full or limited access to BIOS

  • Enable secure mode, which prevents keyboard input, front panel reset access, and power switch access.

  • Enable a keyboard lockout timer, which after a time-out period, requires a password to reactivate keyboard input.

  • Disable booting to alternative devices, such as diskettes and CD-ROMs

A system's BIOS performs power-on self-tests (POST), provides an interface to the hardware components on a system, and facilitates loading an operating system by locating and accessing a boot loader. In addition, the BIOS provides basic security features.

To access the BIOS configuration, press the F2 key while the initial boot screen is displayed on a console. To maneuver the BIOS menu system, follow the instructions located at the bottom of the screen.

NOTE

If a BIOS administrative password is defined for the system, this password must first be correctly entered before access to the BIOS configuration is granted.

If you change any of the BIOS configuration parameters, you must reboot the system for the changes to take effect.

Restrict Access to BIOS

You can set a user password, an administrator password, or both. The passwords are limited to seven alpha numeric, case-sensitive characters. By default, the passwords are not defined, and unrestricted access is granted to the BIOS for any user with physical access to a console.

Setting a user or an administrator password requires:

  • Entering the password to enter BIOS setup.

  • Entering the password to boot the server if "Password on Boot" is enabled.

  • Entering the password to exit "Secure Mode."

Setting both passwords requires:

  • Entering the password to enter BIOS setup.

    • If entering a user password, the user may not be able to change some of the BIOS options, depending upon privilege level granted.

    • If entering an administrator password, the administrator is able to enter BIOS setup and access all options.

  • Entering either password to exit "Secure Mode."

    CAUTION

    With physical access to a system, BIOS passwords can be reset by changing a jumper on the motherboard.

To Set an Administrator Password

  1. Enter the BIOS menu by pressing the F2 key while the system's initial boot screen is displayed.

  2. Select the Security menu tab to display the security configuration menu.

  3. Select the Set Administrative Password option.

  4. Enter the new administrative password.

  5. Re-enter the new administrative password to confirm the new password.

  6. Select the Exit menu tab, then select the Exit and Save option.

    Once set, the Administrative Password parameter changes from Disabled to Enabled. Now the Administrative Password must be entered to access the BIOS configuration.

To Set a User Password

  1. Enter the BIOS menu by pressing the F2 key while the system's initial boot screen is displayed.

  2. Select the Security menu tab to display the security configuration menu.

  3. Select the Set User Password option.

  4. Enter the new user password.

  5. Re-enter the new user password to confirm the new password.

  6. Select the privilege level granted to the user:

    • No Access – Prevents a user from accessing the BIOS configuration. If a user is assigned to this level, the user password is used only to unlock the system when it is operating in "Secure Mode."

    • Limited – Allows a user to access the BIOS and to change a limited number of non-critical fields.

    • View Only – Allows a user to access the BIOS but in read-only mode. The user is not permitted to change any of the BIOS parameters.

    • Full – Allows a user to access the BIOS and change all parameters, except for the Administrator Password.

  7. Select the Exit menu tab, then select the Exit and Save option.

Limit Front Panel, Keyboard, and Video Access

After setting the administrator password, limit access to the front panel, keyboard, and video. The following additional options appear on the BIOS Security menu:

  • Secure Mode Timer – This timer is the period of inactivity in minutes before "Secure Mode" is activated and the system's keyboard and mouse are locked.

  • Secure Mode Hot Key – This keyboard sequence places the system in "Secure Mode." By default, the sequence is Control-Alt-[L], which is performed by holding down the Control and Alt keys and simultaneously pressing the L key.

  • Secure Mode Boot – This setting configures the BIOS to prevent the system from starting the boot process until a user or administrator password is entered. A password is required to boot from removable media such as a diskette or CD-ROM.

  • Video Blanking – This setting disables the use of a video monitor when a system is in "Secure Mode." When video blanking is off, the system displays information on the monitor even in "Secure Mode." If a monitor is disabled in addition to the keyboard and mouse when in "Secure Mode," video blanking should be enabled.

  • Disable Power Button – This setting configures the BIOS to ignore the use of the front-panel power button. When enabled, this setting prevents a running system from being powered off using the front-panel power button.

To Set Access Options

  1. Enter the BIOS menu by pressing the F2 key while the system's initial boot screen is displayed.

  2. Select the Security menu tab to display the security configuration menu.

  3. Select the appropriate option, and enable or disable it.

  4. Select the Exit menu tab, then select the Exit and Save option.

Restrict Alternate Boot Devices

You can use the Sun Linux BIOS configuration to specify the order in which devices are polled when locating an operating system. This boot device priority selects the order in which hard-drives, CD-ROM drives, and disk drives are accessed during boot processes. It is recommended that the system be configured to boot first from the local hard drive before other media. This approach can prevent a system from being compromised through a boot diskette or CD-ROM inserted during the boot process.

To Set Boot Device Priority

  1. Enter the BIOS menu by pressing the F2 key while the system's initial boot screen is displayed.

  2. Select the Server tab to display the server configuration menu.

  3. Select the Boot Priority menu to change the default boot priority.

  4. Select the hard drive as the first boot device.

  5. Disable any boot devices that are not required.

  6. Select the Exit menu tab, then select the Exit and Save option.

Restrict Access to the LILO Boot Loader

Sun Linux uses the LILO boot loader to load the Linux kernel. LILO allows users to pass parameters to the kernel, several of which can be used to gain unrestricted access to a system (such as single for single-user mode). You can configure LILO to require a password before allowing access.

To Configure LILO to Require a Password for Access

  • Add the following lines (see bold lines) to the /etc/lilo.conf file.

    image=/boot/vmlinuz-2.4.9-31enterprise
    password=<password>
    restricted
    label=linux
    initrd=/boot/initrd-2.4.9-31enterprise.img
    append="console=ttyS1,9600 console=tty0"
    read-only
    root=/dev/sda3

In this example, the password and restriction options are added to the kernel 2.4.9-31enterprise. In practice, there exist multiple kernel definitions or image entries in the /etc/lilo.conf, often as a result of kernel upgrades. We recommend that you define these options for each of the kernels listed in your /etc/lilo.conf file.

NOTE

The version number 2.4.9-31enterprise changes based on the version of the kernel running on the system.

Using the restricted directive in LILO allows booting of the default kernel without password verification, but requires a password if any additional arguments are added (such as single to boot into single-user mode) or if a kernel image other than the default is selected.

Access to the /etc/lilo.conf file should be restricted to only the root user, because the password contained in that file is in clear-text. Set this restriction by executing the following command.

# chmod go-rwx /etc/lilo.conf

After any modifications, you must run the command /sbin/lilo to propagate any changes to LILO. The following command is usually sufficient.

# /sbin/lilo

Disable Control-Alt-Delete Reboot Key Sequence

By default, a Sun Linux system reboots when the key combination Control-Alt-Delete is entered.

To Disable the Control-Alt-Delete Key Sequence

  1. Comment out the following line in the /etc/inittab file:

    # Trap CTRL-ALT-DELETE
    # ca::ctrlaltdel:/sbin/shutdown -t3 -r now
  2. Reload the inittab by either rebooting the system or by entering /sbin/telinit q.

Require Single-User Mode Password

You can configure the system to prompt for a password when booted into single-user mode. Add the following line to the /etc/inittab file.

~~:S:wait:/sbin/sulogin

CAUTION

It is highly recommended that you add a password to the LILO configuration file instead of setting a password for single-user mode. Users can circumvent single-user password restrictions using the command linux init=/bin/bash instead of the linux single command at the LILO boot prompt.

Disable the Magic SysRq Key

If enabled, the SysRq key can be used for activities such as rebooting systems, inspecting memory, synchronizing disks, and killing processes. It is mainly useful to kernel developers, because it allows them to diagnose and recover a system state after problems. However, be aware that it can be used to gain unauthorized root access.

t To Disable the Magic SysReq Key

  1. Enter the following in the /etc/sysctl.conf file:

    kernel.sysrq = 0
  2. Reboot the system to implement this configuration change.

Restrict Root Access to Devices

The Sun Linux operating system provides the ability to restrict from where a remote user can log into a system as root user. This restriction is an important capability to help promote accountability on a system. Typically, we recommend that administrators do not log into systems directly using a root account; instead they should log into systems using their unique account and assume root privileges as needed. Often this recommendation is combined with role-based access control capabilities such as sudo to further restrict what may be done with elevated privileges. By following this recommendation, actions can be better associated with specific individuals.

The login command is part of the authentication process to access a local Sun Linux account. Except for a root user, any user can log in to any valid device on a system, serial or virtual. A root user is not permitted to log in to any device unless the device is listed in the /etc/securetty file. If a root user attempts to log in to a device not listed, then the attempt fails and a failure notice is logged to the syslog facility.

If you need to configure the system to permit direct root login over the primary serial interface, then add the following line to the /etc/securetty file.

/dev/ttyS0

NOTE

Be sure to review the contents of the /etc/securetty file, removing any entries that are not required. Be careful not to remove root accounts, which would inadvertently lock root users out of the system.

  • + Share This
  • 🔖 Save To Your Account

Discussions

comments powered by Disqus