bike/Yellow-Bike-Database-Mirror
1
0
Fork 0
mirror of https://github.com/fspc/Yellow-Bike-Database.git synced 2025-10-31 17:05:36 -04:00
Code Issues Projects Releases Wiki Activity

Adds several items:

Browse Source 
* BIOS / UEFI
* GRUB2 PASSWORD PROTECT
* SSD or HD ENCRYPTION
This commit is contained in:
Jonathan Rosenbaum 2018-01-06 07:10:42 +00:00
parent 0bcd6e881f
commit 5edc4f97c2
1 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
examples/secure-terminals.txt
View File

@ -236,6 +236,52 @@ Example commands that bring up the gui setting tool:
1. xfce4-power-manager-settings (eg., used by wattos for LXDE) 1. xfce4-power-manager-settings (eg., used by wattos for LXDE)
2. mate-power-manager-settings or mate-power-preferences 2. mate-power-manager-settings or mate-power-preferences
BIOS / UEFI (recommended)
Turn off booting of external devices; disable unnecessary external ports; password protect BIOS setup.
Remember the password. There are some ways to reset passwords, if forgotten, but depending on the hardware,
it is not always straight-forward, e.g., resetting the CMOS.
GRUB2 PASSWORD PROTECT (mandatory)
You don't want individuals casually booting into single mode or a shell, therefore,
password protecting GRUB with an encrypted password is mandatory.
https://help.ubuntu.com/community/Grub2/Passwords gives good instructions
1. In /etc/grub.d/10_linux change
CLASS="--class gnu-linux --class gnu --class os"
to
CLASS="--class gnu-linux --class gnu --class os --unrestricted"
2. Create an encrypted password with grub-mkpasswd-pbkdf2, producing something like
grub.pbkdf2.sha512.10000.80E702585F80C8D70D4BC75
3. In /etc/grub.d/40_custom add:
set superusers="MyUserName"
password_pbkdf2 MyUserName grub.pbkdf2.sha512.10000.80E702585F80C8D70D4BC75
4. sudo chmod 0700 40_custom
5. update-grub2
SSD or HD Encryption (optional)
If a sign-in computers unencrypted drive goes missing (or is stolen), it should (in most cases)
be pretty obvious, and you would want to change YBDB's htpasswd and root password. However, if you
want to "help" prevent a detached drive from being accessed, utilitizing an encrypted partition or file container,
for the keepass2 system discussed above, would be one way to go, although, even that can be accessed with a few steps,
and some forensics (https://dfir.science/2014/08/how-to-brute-forcing-password-cracking.html). While most modern
distributions provide an option to encrypt the whole installation, some good reasons for not wanting to do this
include a performance hit, and a more complex recovery. When deciding to go the encryption route, you need to weigh
in the advantages and disadvantages for encrypting while factoring into the equation the nature of environment
the computer will be located within.
SUMMARY SUMMARY
There are other things that can be done within the terminal to prevent tampering, e.g., kiosk or read-only environment, There are other things that can be done within the terminal to prevent tampering, e.g., kiosk or read-only environment,