Disallow change of init kernel parameter

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















is there any way to disallow changing init parameter on boot time?
I want to prevent situation when someone reboot my server, edit grub entry and get access without password.
Maybe some kernel parameters I can change while kernel compile?










share|improve this question
























  • Full disk encryption...

    – jasonwryan
    Dec 10 '14 at 22:56











  • ok, but what if I want to reboot it remotely?

    – KaP
    Dec 10 '14 at 23:07











  • unix.stackexchange.com/questions/37024/…

    – jasonwryan
    Dec 10 '14 at 23:32











  • A less secure but easier way is setting a password to GRUB.

    – user4098326
    Dec 10 '14 at 23:58

















1















is there any way to disallow changing init parameter on boot time?
I want to prevent situation when someone reboot my server, edit grub entry and get access without password.
Maybe some kernel parameters I can change while kernel compile?










share|improve this question
























  • Full disk encryption...

    – jasonwryan
    Dec 10 '14 at 22:56











  • ok, but what if I want to reboot it remotely?

    – KaP
    Dec 10 '14 at 23:07











  • unix.stackexchange.com/questions/37024/…

    – jasonwryan
    Dec 10 '14 at 23:32











  • A less secure but easier way is setting a password to GRUB.

    – user4098326
    Dec 10 '14 at 23:58













1












1








1








is there any way to disallow changing init parameter on boot time?
I want to prevent situation when someone reboot my server, edit grub entry and get access without password.
Maybe some kernel parameters I can change while kernel compile?










share|improve this question
















is there any way to disallow changing init parameter on boot time?
I want to prevent situation when someone reboot my server, edit grub entry and get access without password.
Maybe some kernel parameters I can change while kernel compile?







kernel security






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 10 at 4:26









Rui F Ribeiro

42k1483142




42k1483142










asked Dec 10 '14 at 22:52









KaPKaP

187112




187112












  • Full disk encryption...

    – jasonwryan
    Dec 10 '14 at 22:56











  • ok, but what if I want to reboot it remotely?

    – KaP
    Dec 10 '14 at 23:07











  • unix.stackexchange.com/questions/37024/…

    – jasonwryan
    Dec 10 '14 at 23:32











  • A less secure but easier way is setting a password to GRUB.

    – user4098326
    Dec 10 '14 at 23:58

















  • Full disk encryption...

    – jasonwryan
    Dec 10 '14 at 22:56











  • ok, but what if I want to reboot it remotely?

    – KaP
    Dec 10 '14 at 23:07











  • unix.stackexchange.com/questions/37024/…

    – jasonwryan
    Dec 10 '14 at 23:32











  • A less secure but easier way is setting a password to GRUB.

    – user4098326
    Dec 10 '14 at 23:58
















Full disk encryption...

– jasonwryan
Dec 10 '14 at 22:56





Full disk encryption...

– jasonwryan
Dec 10 '14 at 22:56













ok, but what if I want to reboot it remotely?

– KaP
Dec 10 '14 at 23:07





ok, but what if I want to reboot it remotely?

– KaP
Dec 10 '14 at 23:07













unix.stackexchange.com/questions/37024/…

– jasonwryan
Dec 10 '14 at 23:32





unix.stackexchange.com/questions/37024/…

– jasonwryan
Dec 10 '14 at 23:32













A less secure but easier way is setting a password to GRUB.

– user4098326
Dec 10 '14 at 23:58





A less secure but easier way is setting a password to GRUB.

– user4098326
Dec 10 '14 at 23:58










1 Answer
1






active

oldest

votes


















2














If someone has physical access to your computer, they can boot from a USB key, or take out the hard drive and plug it into another computer. To prevent someone from changing boot parameters, put the computer in a locked case or locked room.



If the computer is in a locked case but its keyboard is accessible to untrusted people, then you need a software means to prevent booting with alternate parameters. This is the job of the bootloader, not the job of the kernel (the kernel isn't the software that's prompting you for parameters at boot time: it isn't even loaded into memory at that point). Be sure to forbid booting from any exposed external ports (e.g. USB, network) in the BIOS, and to set a password to access the BIOS configuration interface.



If your bootloader is Grub, activate its lockdown features: add a superusers setting to your grub.cfg, as well as password_pbkdf2 to set a password that allows accessing the command line. Be sure to add the --unrestricted option to your normal menu entry as well. See the manual for details and an example.






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f172651%2fdisallow-change-of-init-kernel-parameter%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    If someone has physical access to your computer, they can boot from a USB key, or take out the hard drive and plug it into another computer. To prevent someone from changing boot parameters, put the computer in a locked case or locked room.



    If the computer is in a locked case but its keyboard is accessible to untrusted people, then you need a software means to prevent booting with alternate parameters. This is the job of the bootloader, not the job of the kernel (the kernel isn't the software that's prompting you for parameters at boot time: it isn't even loaded into memory at that point). Be sure to forbid booting from any exposed external ports (e.g. USB, network) in the BIOS, and to set a password to access the BIOS configuration interface.



    If your bootloader is Grub, activate its lockdown features: add a superusers setting to your grub.cfg, as well as password_pbkdf2 to set a password that allows accessing the command line. Be sure to add the --unrestricted option to your normal menu entry as well. See the manual for details and an example.






    share|improve this answer



























      2














      If someone has physical access to your computer, they can boot from a USB key, or take out the hard drive and plug it into another computer. To prevent someone from changing boot parameters, put the computer in a locked case or locked room.



      If the computer is in a locked case but its keyboard is accessible to untrusted people, then you need a software means to prevent booting with alternate parameters. This is the job of the bootloader, not the job of the kernel (the kernel isn't the software that's prompting you for parameters at boot time: it isn't even loaded into memory at that point). Be sure to forbid booting from any exposed external ports (e.g. USB, network) in the BIOS, and to set a password to access the BIOS configuration interface.



      If your bootloader is Grub, activate its lockdown features: add a superusers setting to your grub.cfg, as well as password_pbkdf2 to set a password that allows accessing the command line. Be sure to add the --unrestricted option to your normal menu entry as well. See the manual for details and an example.






      share|improve this answer

























        2












        2








        2







        If someone has physical access to your computer, they can boot from a USB key, or take out the hard drive and plug it into another computer. To prevent someone from changing boot parameters, put the computer in a locked case or locked room.



        If the computer is in a locked case but its keyboard is accessible to untrusted people, then you need a software means to prevent booting with alternate parameters. This is the job of the bootloader, not the job of the kernel (the kernel isn't the software that's prompting you for parameters at boot time: it isn't even loaded into memory at that point). Be sure to forbid booting from any exposed external ports (e.g. USB, network) in the BIOS, and to set a password to access the BIOS configuration interface.



        If your bootloader is Grub, activate its lockdown features: add a superusers setting to your grub.cfg, as well as password_pbkdf2 to set a password that allows accessing the command line. Be sure to add the --unrestricted option to your normal menu entry as well. See the manual for details and an example.






        share|improve this answer













        If someone has physical access to your computer, they can boot from a USB key, or take out the hard drive and plug it into another computer. To prevent someone from changing boot parameters, put the computer in a locked case or locked room.



        If the computer is in a locked case but its keyboard is accessible to untrusted people, then you need a software means to prevent booting with alternate parameters. This is the job of the bootloader, not the job of the kernel (the kernel isn't the software that's prompting you for parameters at boot time: it isn't even loaded into memory at that point). Be sure to forbid booting from any exposed external ports (e.g. USB, network) in the BIOS, and to set a password to access the BIOS configuration interface.



        If your bootloader is Grub, activate its lockdown features: add a superusers setting to your grub.cfg, as well as password_pbkdf2 to set a password that allows accessing the command line. Be sure to add the --unrestricted option to your normal menu entry as well. See the manual for details and an example.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 11 '14 at 0:00









        GillesGilles

        546k12911111625




        546k12911111625



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f172651%2fdisallow-change-of-init-kernel-parameter%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?