Browse Source

Adds several items:

* BIOS / UEFI
* GRUB2 PASSWORD PROTECT
* SSD or HD ENCRYPTION
devel
Jonathan Rosenbaum 7 years ago
parent
commit
5edc4f97c2
  1. 46
      examples/secure-terminals.txt

46
examples/secure-terminals.txt

@ -236,6 +236,52 @@ Example commands that bring up the gui setting tool:
1. xfce4-power-manager-settings (eg., used by wattos for LXDE) 1. xfce4-power-manager-settings (eg., used by wattos for LXDE)
2. mate-power-manager-settings or mate-power-preferences 2. mate-power-manager-settings or mate-power-preferences
BIOS / UEFI (recommended)
Turn off booting of external devices; disable unnecessary external ports; password protect BIOS setup.
Remember the password. There are some ways to reset passwords, if forgotten, but depending on the hardware,
it is not always straight-forward, e.g., resetting the CMOS.
GRUB2 PASSWORD PROTECT (mandatory)
You don't want individuals casually booting into single mode or a shell, therefore,
password protecting GRUB with an encrypted password is mandatory.
https://help.ubuntu.com/community/Grub2/Passwords gives good instructions
1. In /etc/grub.d/10_linux change
CLASS="--class gnu-linux --class gnu --class os"
to
CLASS="--class gnu-linux --class gnu --class os --unrestricted"
2. Create an encrypted password with grub-mkpasswd-pbkdf2, producing something like
grub.pbkdf2.sha512.10000.80E702585F80C8D70D4BC75
3. In /etc/grub.d/40_custom add:
set superusers="MyUserName"
password_pbkdf2 MyUserName grub.pbkdf2.sha512.10000.80E702585F80C8D70D4BC75
4. sudo chmod 0700 40_custom
5. update-grub2
SSD or HD Encryption (optional)
If a sign-in computers unencrypted drive goes missing (or is stolen), it should (in most cases)
be pretty obvious, and you would want to change YBDB's htpasswd and root password. However, if you
want to "help" prevent a detached drive from being accessed, utilitizing an encrypted partition or file container,
for the keepass2 system discussed above, would be one way to go, although, even that can be accessed with a few steps,
and some forensics (https://dfir.science/2014/08/how-to-brute-forcing-password-cracking.html). While most modern
distributions provide an option to encrypt the whole installation, some good reasons for not wanting to do this
include a performance hit, and a more complex recovery. When deciding to go the encryption route, you need to weigh
in the advantages and disadvantages for encrypting while factoring into the equation the nature of environment
the computer will be located within.
SUMMARY SUMMARY
There are other things that can be done within the terminal to prevent tampering, e.g., kiosk or read-only environment, There are other things that can be done within the terminal to prevent tampering, e.g., kiosk or read-only environment,

Loading…
Cancel
Save