Disallow change of init kernel parameter
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
is there any way to disallow changing init parameter on boot time?
I want to prevent situation when someone reboot my server, edit grub entry and get access without password.
Maybe some kernel parameters I can change while kernel compile?
kernel security
edited Mar 10 at 4:26
Rui F Ribeiro
42k1483142
asked Dec 10 '14 at 22:52
KaPKaP
187112
add a comment |
is there any way to disallow changing init parameter on boot time?
I want to prevent situation when someone reboot my server, edit grub entry and get access without password.
Maybe some kernel parameters I can change while kernel compile?
kernel security
edited Mar 10 at 4:26
Rui F Ribeiro
42k1483142
asked Dec 10 '14 at 22:52
KaPKaP
187112
Full disk encryption...
– jasonwryan
Dec 10 '14 at 22:56
ok, but what if I want to reboot it remotely?
– KaP
Dec 10 '14 at 23:07
unix.stackexchange.com/questions/37024/…
– jasonwryan
Dec 10 '14 at 23:32
A less secure but easier way is setting a password to GRUB.
– user4098326
Dec 10 '14 at 23:58
add a comment |
is there any way to disallow changing init parameter on boot time?
I want to prevent situation when someone reboot my server, edit grub entry and get access without password.
Maybe some kernel parameters I can change while kernel compile?
kernel security
edited Mar 10 at 4:26
Rui F Ribeiro
42k1483142
asked Dec 10 '14 at 22:52
KaPKaP
187112
is there any way to disallow changing init parameter on boot time?
I want to prevent situation when someone reboot my server, edit grub entry and get access without password.
Maybe some kernel parameters I can change while kernel compile?
kernel security
kernel security
edited Mar 10 at 4:26
Rui F Ribeiro
42k1483142
asked Dec 10 '14 at 22:52
KaPKaP
187112
edited Mar 10 at 4:26
Rui F Ribeiro
42k1483142
asked Dec 10 '14 at 22:52
KaPKaP
187112
edited Mar 10 at 4:26
Rui F Ribeiro
42k1483142
edited Mar 10 at 4:26
Rui F Ribeiro
42k1483142
edited Mar 10 at 4:26
Rui F Ribeiro
42k1483142
42k1483142
asked Dec 10 '14 at 22:52
KaPKaP
187112
asked Dec 10 '14 at 22:52
KaPKaP
187112
asked Dec 10 '14 at 22:52
KaPKaP
187112
187112
Full disk encryption...
– jasonwryan
Dec 10 '14 at 22:56
ok, but what if I want to reboot it remotely?
– KaP
Dec 10 '14 at 23:07
unix.stackexchange.com/questions/37024/…
– jasonwryan
Dec 10 '14 at 23:32
A less secure but easier way is setting a password to GRUB.
– user4098326
Dec 10 '14 at 23:58
add a comment |
Full disk encryption...
– jasonwryan
Dec 10 '14 at 22:56
ok, but what if I want to reboot it remotely?
– KaP
Dec 10 '14 at 23:07
unix.stackexchange.com/questions/37024/…
– jasonwryan
Dec 10 '14 at 23:32
A less secure but easier way is setting a password to GRUB.
– user4098326
Dec 10 '14 at 23:58
Full disk encryption...
– jasonwryan
Dec 10 '14 at 22:56
Full disk encryption...
– jasonwryan
Dec 10 '14 at 22:56
ok, but what if I want to reboot it remotely?
– KaP
Dec 10 '14 at 23:07
ok, but what if I want to reboot it remotely?
– KaP
Dec 10 '14 at 23:07
unix.stackexchange.com/questions/37024/…
– jasonwryan
Dec 10 '14 at 23:32
unix.stackexchange.com/questions/37024/…
– jasonwryan
Dec 10 '14 at 23:32
A less secure but easier way is setting a password to GRUB.
– user4098326
Dec 10 '14 at 23:58
A less secure but easier way is setting a password to GRUB.
– user4098326
Dec 10 '14 at 23:58
add a comment |
1 Answer
1
active
oldest
votes
If someone has physical access to your computer, they can boot from a USB key, or take out the hard drive and plug it into another computer. To prevent someone from changing boot parameters, put the computer in a locked case or locked room.
If the computer is in a locked case but its keyboard is accessible to untrusted people, then you need a software means to prevent booting with alternate parameters. This is the job of the bootloader, not the job of the kernel (the kernel isn't the software that's prompting you for parameters at boot time: it isn't even loaded into memory at that point). Be sure to forbid booting from any exposed external ports (e.g. USB, network) in the BIOS, and to set a password to access the BIOS configuration interface.
If your bootloader is Grub, activate its lockdown features: add a superusers setting to your grub.cfg, as well as password_pbkdf2 to set a password that allows accessing the command line. Be sure to add the --unrestricted option to your normal menu entry as well. See the manual for details and an example.
answered Dec 11 '14 at 0:00
GillesGilles
546k12911111625
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f172651%2fdisallow-change-of-init-kernel-parameter%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
If someone has physical access to your computer, they can boot from a USB key, or take out the hard drive and plug it into another computer. To prevent someone from changing boot parameters, put the computer in a locked case or locked room.
If the computer is in a locked case but its keyboard is accessible to untrusted people, then you need a software means to prevent booting with alternate parameters. This is the job of the bootloader, not the job of the kernel (the kernel isn't the software that's prompting you for parameters at boot time: it isn't even loaded into memory at that point). Be sure to forbid booting from any exposed external ports (e.g. USB, network) in the BIOS, and to set a password to access the BIOS configuration interface.
If your bootloader is Grub, activate its lockdown features: add a superusers setting to your grub.cfg, as well as password_pbkdf2 to set a password that allows accessing the command line. Be sure to add the --unrestricted option to your normal menu entry as well. See the manual for details and an example.
answered Dec 11 '14 at 0:00
GillesGilles
546k12911111625
add a comment |
If someone has physical access to your computer, they can boot from a USB key, or take out the hard drive and plug it into another computer. To prevent someone from changing boot parameters, put the computer in a locked case or locked room.
If the computer is in a locked case but its keyboard is accessible to untrusted people, then you need a software means to prevent booting with alternate parameters. This is the job of the bootloader, not the job of the kernel (the kernel isn't the software that's prompting you for parameters at boot time: it isn't even loaded into memory at that point). Be sure to forbid booting from any exposed external ports (e.g. USB, network) in the BIOS, and to set a password to access the BIOS configuration interface.
If your bootloader is Grub, activate its lockdown features: add a superusers setting to your grub.cfg, as well as password_pbkdf2 to set a password that allows accessing the command line. Be sure to add the --unrestricted option to your normal menu entry as well. See the manual for details and an example.
answered Dec 11 '14 at 0:00
GillesGilles
546k12911111625
add a comment |
If someone has physical access to your computer, they can boot from a USB key, or take out the hard drive and plug it into another computer. To prevent someone from changing boot parameters, put the computer in a locked case or locked room.
If the computer is in a locked case but its keyboard is accessible to untrusted people, then you need a software means to prevent booting with alternate parameters. This is the job of the bootloader, not the job of the kernel (the kernel isn't the software that's prompting you for parameters at boot time: it isn't even loaded into memory at that point). Be sure to forbid booting from any exposed external ports (e.g. USB, network) in the BIOS, and to set a password to access the BIOS configuration interface.
If your bootloader is Grub, activate its lockdown features: add a superusers setting to your grub.cfg, as well as password_pbkdf2 to set a password that allows accessing the command line. Be sure to add the --unrestricted option to your normal menu entry as well. See the manual for details and an example.
answered Dec 11 '14 at 0:00
GillesGilles
546k12911111625
If someone has physical access to your computer, they can boot from a USB key, or take out the hard drive and plug it into another computer. To prevent someone from changing boot parameters, put the computer in a locked case or locked room.
If the computer is in a locked case but its keyboard is accessible to untrusted people, then you need a software means to prevent booting with alternate parameters. This is the job of the bootloader, not the job of the kernel (the kernel isn't the software that's prompting you for parameters at boot time: it isn't even loaded into memory at that point). Be sure to forbid booting from any exposed external ports (e.g. USB, network) in the BIOS, and to set a password to access the BIOS configuration interface.
If your bootloader is Grub, activate its lockdown features: add a superusers setting to your grub.cfg, as well as password_pbkdf2 to set a password that allows accessing the command line. Be sure to add the --unrestricted option to your normal menu entry as well. See the manual for details and an example.
answered Dec 11 '14 at 0:00
GillesGilles
546k12911111625
answered Dec 11 '14 at 0:00
GillesGilles
546k12911111625
answered Dec 11 '14 at 0:00
GillesGilles
546k12911111625
answered Dec 11 '14 at 0:00
GillesGilles
546k12911111625
546k12911111625
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f172651%2fdisallow-change-of-init-kernel-parameter%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Full disk encryption...
– jasonwryan
Dec 10 '14 at 22:56
ok, but what if I want to reboot it remotely?
– KaP
Dec 10 '14 at 23:07
unix.stackexchange.com/questions/37024/…
– jasonwryan
Dec 10 '14 at 23:32
A less secure but easier way is setting a password to GRUB.
– user4098326
Dec 10 '14 at 23:58