Securing-Optimizing-RH-Linux-1_2_54
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
54
This option asks for a password only, if parameters are specified on the command line (e.g. linux
single). The option restricted can only be used together with the password option. Make sure
you use this one on each image.
·
Adding: password=<password>
This option asks the user for a password when trying to load the Linux system in single mode.
Passwords are always case-sensitive, also make sure the /etc/lilo.conf file is no longer world
readable, or any user will be able to read the password. Here is an example of our protected LILO
with the lilo.conf file.
Step 1
Edit the lilo.conf file (vi /etc/lilo.conf) and add or change the tree options above as show:
boot=/dev/sda
map=/boot/map
install=/boot/boot.b
prompt
timeout=00 change this line to 00.
Default=linux
restricted add this line.
password=<password> add this line and put your password.
image=/boot/vmlinuz-2.2.12-20
label=linux
initrd=/boot/initrd-2.2.12-10.img
root=/dev/sda6
read-only
Step 2
Because the configuration file /etc/lilo.conf now, contains unencrypted passwords, it should only
be readable for the super-user root.
[root@deep /]# chmod 600 /etc/lilo.conf (will be no longer world readable).
Step 3
Now we must update our configuration file /etc/lilo.conf for the change to take effect.
[root@deep /]# /sbin/lilo -v (to update the lilo.conf file).
Step 4
One more security measure you can take to secure the lilo.conf file is to set it immutable, using
the chattr command.
·
To set the file immutable simply, use the command:
[root@deep /]# chattr +i /etc/lilo.conf
And this will prevent any changes (accidental or otherwise) to the lilo.conf file. If you wish to
modify the lilo.conf file you will need to unset the immutable flag:
·
To unset the immutable flag, use the command:
[root@deep /]# chattr -i /etc/lilo.conf
28. Disable the Control-Alt-Delete keyboard shutdown command