Re: Physically securing FreeBSD workstations & /boot/boot2

---

• From: Erik Norgaard <norgaard@xxxxxxxxxxxx>
• Date: Fri, 07 Aug 2009 00:58:24 +0200

---

Nerius Landys wrote:

Hi. I am attempting to secure some workstations in such a way that a
user would not be able gain full control of the computer (only user
access). However, they are able to see and touch the physical
workstation.

I assume that users cannot tingle with the hardware, take it apart, add a different disk etc. and that only authorized users can physically access the computer. That's what physical security is about.

I understand you may have some authorized user who will nevertheless try to gain elevated privileges. That's really logical security, local that is as opposed to remote/network security.

2. Go to loader menu and load (boot kernel) with some custom
parameters or something. I've secured the loader menu by
password-protecting it (/boot/loader.conf has password) and
/boot/loader.conf is not world-readable.

And I'm sure there are other things, I just forgot them.

You can configure the loader such as not to present any loader menu but boot right away. If you need the option of booting into single user mode, then you can password protect single user mode.

So my question is: Is this [securing of the workstation] worthwhile,
or should I just forget about this kind of security? I want to make
it so that the only way to gain full control of the computer is by
physically opening up the box.

You can always make it more difficult, which should give you less to worry about. You have to weigh how much work it takes against how much you really have to worry about, then decide when it's enough.

How about running diskless? How about centralized authentication with NIS or LDAP?

Another option is to disable root locally, that is the account still exist but with * in the password field.. If each workstation runs sshd you can use key based authentication to gain privileged access remotely while local access is disabled.

I noticed that boot2 brings up a menu like this one when I press space
during the initial boot blocks:

FreeBSD/i386 BOOT

Default: 0:ad(0,a)/boot/loader
boot:

I guess it would be possible to stick in a floppy disk or something
and boot from there? So my question is, is this a threat to my plan,
and if so, how can I disable this prompt?

you've still got floppies? wow. How about trying to boot a floppy with your current configuration? I'm not sure that it will work at that stage if it has been disabled in the bios. It might be possible to load the kernel from the harddisk then tell the kernel to mount the floppy as root device. You could solve that by compiling a kernel without floppy support and delete the kernel module.

You need to learn how to script the loader, read the source code, I don't recall finding much documentation on that last time I looked.

Others suggest you encrypt the harddrive, I don't find it very useful in your case, I assume your users need to access the systems and use them for the intended purposes and you just want to protect against someone trying to escalate his privileges.

If you encrypt partitions with geli then you'll have to enter the password every time somebody reboots. However, you should consider encrypted swap and temporary partition, together with forced reboot on logout you avoid session data getting in the hands of the next user.

BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: Physically securing FreeBSD workstations & /boot/boot2
    • From: Nerius Landys

• References:
  • Physically securing FreeBSD workstations & /boot/boot2
    • From: Nerius Landys

• Prev by Date: Re: FreeBSD for the common man(or woman) (was: > upgrade 7.2
• Next by Date: Re: Boot failure
• Previous by thread: Re: Physically securing FreeBSD workstations & /boot/boot2
• Next by thread: Re: Physically securing FreeBSD workstations & /boot/boot2
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: speed up boot on laptop with ancient BIOS ... boot floppy with the kernel on the floppy and ... When the kernel loads it recognizes ... the HD and partitions and is able to access the swap space and boot the ... which will probe for and recognize hard drives independent of the BIOS ... (alt.os.linux) Re: Making a boot floppy ... > I tried to make a boot floppy using the command ... > But when I try to boot from that floppy, ... > a subsequent boot from hard disk of the same kernel. ... (comp.os.linux) Re: Okay to clone drive to larger size drive? ... I don't use Redhat and I don't use grub. ... the same for all distros and boot loaders. ... If the kernel is then moved the info in the MBR ... There are lots of ways to boot the HD from a floppy. ... (alt.os.linux) Re: Boot Disk ... You're going the wrong direction - standard size is 1440 and the kernel ... > bootdisk.img - floppy sized boot image ... > drvblock.img - floppy sized image with extra block device drivers ... > boot.iso - CD sized boot image with drivers included ... (Fedora) Re: Unable to boot my machine ... I'd tried to create a boot floppy before reading the ... information that said that the FC3 kernel is too big to fit on a single ... > I ran up2date and installed the newest kernel on my machine, ... (Fedora)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > FreeBSD  > questions  > 2009-08