1

Suppose that a regular linux machine is compromised by an attacker who obtained a root shell, he can modify the system kernel or modify boot loader to load another kernel.

Is there a way to prevent such modifications?

I want to disable such things for a regular linux os (not a container) installed on a regular pc with only one regular hard disk. I don't want to use read only mediums like cdrom.

A rough theoretical solution is to patch kernel to disallow modifications to MBR plus another area of hard disk (maybe a partition) and store kernel and boot loader files in that area.

gopy
  • 351
  • 3
  • 10
  • 3
    UEFI secure boot, if that's supported by your "regular PC". – Michael Homer Dec 02 '18 at 08:03
  • UEFI secure boot only detects the changes on reboot, it does not prevent. I'm looking for another solution. – gopy Dec 02 '18 at 08:59
  • No you really can not limit root on a running os. If an intruder had physical or root access they can do what they wish. You can, however, use non root users rather than the root account. The only potential protections, imo, from exploits are keeping your system up to date and selinux ( selinux is not fool proof). You can read any linux security book or further hardening guides. – Panther Dec 02 '18 at 16:12
  • 2
    It certainly prevents the “modify the boot loader to load another kernel” case, in that it won’t load another kernel, and module signing prevents injection into the running kernel. I’m not sure what your model is here. – Michael Homer Dec 02 '18 at 17:03
  • @Panther I understand that root can do anything, but I mean to add changes to kernel that prevent root from doing the above mentioned actions. You advised to read about hardening methods, but I am looking for a new hardening method. It is a new layer of protection. – gopy Dec 02 '18 at 17:27
  • 1
    @Panther That is not how signatures work. – Michael Homer Dec 02 '18 at 18:00
  • You could require an external plug in cryptographic token for boot (usually called a TPM) and LUKS encrypted drive. .... [A U&L Question about TPM](https://unix.stackexchange.com/questions/341629/how-to-determine-if-computer-has-tpm-trusted-platform-module-available) ... And [information on what is a TPM](https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/) ... Have a look at [Apple's iPhone Security](https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf) ... A Secure Enclave is what you are attempting to create. This is probably out of scope for U&L. – RubberStamp Dec 02 '18 at 18:01
  • 1
    @Panther You are incorrect. You can certainly restrict the root user, since it is still ring 3. This requires either using something like grsecurity or the newer "lockdown" feature in Linux, combined with some kind of MAC to prevent raw access to disk block devices and the boot partition. This isn't even a rare setup either. It's actually very common. Now obviously, it doesn't protect from _physical_ attackers... – forest Dec 24 '18 at 04:25

1 Answers1

0

Is there a way to prevent [kernel or boot loader] modifications [by root]?

No;

"UEFI secure boot" would stop a remote attacker from persisting on reboot but they could just re-hack on every reboot. Local users could just use

mokutil -#-import my_signing_key_pub.der

to get full control. The best mitigation is in depth with an IDS.

user1133275
  • 5,488
  • 1
  • 19
  • 37