Boot Security (Discussion and Demo)
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hey Cybrarians.
00:00
>> Welcome back to the Linux+ course here at Cybrary.
00:00
>> I'm your instructor Rob Goelz.
00:00
In today's lesson,
00:00
we're going to be covering Boots Security.
00:00
Upon completion of today's lesson,
00:00
you're going to be able to understand
00:00
the benefits of securing system boot,
00:00
and we're going to talk about how we modify BIOS in
00:00
UEFI as well as the bootloader to accomplish secure boot.
00:00
Securing the boot process really
00:00
falls under what is called physical security,
00:00
because if an attacker has physical access to the system,
00:00
they can compromise the boot process.
00:00
The Linux plus exam is specifically focused on
00:00
securing BIOS or UEFI and the system bootloader.
00:00
The attack surface for BIOS and
00:00
UEFI is modifying system boot process,
00:00
and then setting up the system to
00:00
boot from a removable device,
00:00
or an optical drive, or something
00:00
that we don't want it booting from.
00:00
To prevent this, BIOS and
00:00
UEFI are secured with a password.
00:00
Now, the bootloader can also be compromised,
00:00
allowing an attacker to boot into alternate kernels,
00:00
or change the run level or target,
00:00
or boot into a mode where they can
00:00
reset the root password.
00:00
Likewise, we secure
00:00
the bootloader with password to prevent this.
00:00
Let's have a look at setting
00:00
the bootloader password with some demo time.
00:00
Here we are over in our demo environment,
00:00
and since I'm using virtual box on my system,
00:00
I don't actually have a BIOS or UEFI to look at.
00:00
But instead let's take a look at securing
00:00
boot by setting a bootloader password.
00:00
In order to do this,
00:00
the first thing that we need to do is modify
00:00
a grub config file and remember some of
00:00
these grub config files live in a grub.d and we're
00:00
going to modify the file that's called 10_ Linux.
00:00
Now what we actually want to do in here,
00:00
and I'm going to turn on our numbers by
00:00
doing Escape colon set number.
00:00
What we actually want to do here is
00:00
go down to this line 29,
00:00
and we want to remove this setting
00:00
here that says unrestricted
00:00
because what we're doing is we're setting up
00:00
a bootloader restriction, we're going to set a password.
00:00
We're going to remove this and then we're
00:00
going to hit Escape colon,
00:00
WQ to get out of them and save our changes.
00:00
Now we're back. Now,
00:00
the next thing that we need to do is set the password.
00:00
Well, the really cool thing about working with grub Q
00:00
is that there actually is a command
00:00
to set up a hash password,
00:00
and that command is grub to set password.
00:00
But just like everything else,
00:00
we need to be root to do this,
00:00
so we're going to do sudo grub2-set,
00:00
and the word password is not
00:00
P-A-S-S-W-D, it's set password.
00:00
Now it's going to prompt for a password,
00:00
I'm just going to set something silly
00:00
here and I'll confirm it,
00:00
and then hit Enter. There we go.
00:00
Now we can see that this is actually created,
00:00
if we go into this file,
00:00
we're going to go and we're just going to
00:00
cut out the contents of
00:00
the boot, that's how you spell that.
00:00
Grub2, and user.cfg file.
00:00
If we look at this file, we can see
00:00
the grub2 password is set,
00:00
it's a Sha 512 hashed value,
00:00
and then we can see all the characters in that hash.
00:00
That's the password that I set,
00:00
but it's not visible to us,
00:00
it's hash for security purposes.
00:00
Now anytime we make a change to grub,
00:00
we have to recreate the configuration with
00:00
the command grub2-make config.
00:00
Here, we're going to specify
00:00
the output file to be our default grub configuration.
00:00
Again, we're going to run this as sudo,
00:00
and then we're going to run grub2-mkconfig,
00:00
we can go out and we're going to put this to grub,
00:00
boot grub2, and then [LAUGHTER] grub.cfg.
00:00
There we go, we're done.
00:00
Now, let's go ahead and reboot.
00:00
If we try to access the bootloader,
00:00
we should be prompted for that password,
00:00
so we'll just give it a shot.
00:00
I'm going to go ahead and close out of this.
00:00
I'm going to go up here and I'm going
00:00
to restart the system.
00:00
We'll give it just a second to finish restarting,
00:00
and then we should be able to get into the bootloader
00:00
and try and see if we're able to get in.
00:00
Here we are going to hit Edit,
00:00
then I type in the username root,
00:00
and password that I said.
00:00
I typed it right, and there we are.
00:00
Without that password, we can't get
00:00
into our bootloader, but here we're good to go.
00:00
Let's hit Control X to start,
00:00
and it'll start as putting into CentOS once again.
00:00
But with that, we reached in this lesson and in
00:00
this lesson we covered the benefits
00:00
of securing system boot,
00:00
the kind of attacks that we can prevent by doing so
00:00
and we talked about
00:00
configuring password protection for BIOS,
00:00
UEFI, and bootloader,
00:00
and we got to see how we can do that for
00:00
the bootloader with some demo time.
00:00
Thanks so much for being here and I look
00:00
forward to seeing you in the next lesson.
Up Next
Instructed By
Similar Content
