|Securing and Optimizing Linux: RedHat Edition -A Hands on Guide|
|Prev||Chapter 5. General System Security||Next|
LILO is the most commonly used boot loader for Linux. It manages the boot process and can boot Linux kernel images from floppy disks, hard disks or can even act as a boot manager for other operating systems. LILO is very important in the Linux system and for this reason, we must protect it the best we can. The most important configuration file of LILO is the lilo.conf file, which resides under the /etc directory. It is with this file that we can configure and improve the security of our LILO program and Linux system. Following are three important options that will improve the security of our valuable LILO program.
This option controls how long in seconds LILO waits for user input before booting to the default selection. One of the requirements of C2 security is that this interval be set to 0 unless the system dual boots something else.
This option asks for a password only, if parameters are specified on the command line (e.g. linux single). The option restricted can only be used together with the password option. Make sure you use this one on each image.
This option asks the user for a password when trying to load the Linux system in single mode. Passwords are always case-sensitive, also make sure the /etc/lilo.conf file is no longer world readable, or any user will be able to read the password.
An example of protected lilo.conf file.
Edit the lilo.conf file vi /etc/lilo.conf and add or change the above three options as show:
boot=/dev/sda map=/boot/map install=/boot/boot.b prompt timeout=00 ß change this line to 00. Default=linux restricted ß add this line. password=<password> image=/boot/vmlinuz-2.2.12-20 label=linux initrd=/boot/initrd-2.2.12-10.img root=/dev/sda6 read-only
Because the configuration file /etc/lilo.conf now contains unencrypted passwords, it should only be readable for the super-user root.
[root@deep] /# chmod 600 /etc/lilo.conf will be no longer world readable.
Now we must update our configuration file /etc/lilo.conf for the change to take effect.
[root@deep] /# /sbin/lilo -v to update the lilo.conf file.
One more security measure you can take to secure the lilo.conf file is to set it immutable, using the chattr command. To set the file immutable simply, use the command:
[root@deep] /# chattr +i /etc/lilo.conf
[root@deep] /# chattr -i /etc/lilo.conf