Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 07 Aug 2009 00:58:24 +0200
From:      Erik Norgaard <norgaard@locolomo.org>
To:        Nerius Landys <nlandys@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Physically securing FreeBSD workstations & /boot/boot2
Message-ID:  <4A7B6010.2090506@locolomo.org>
In-Reply-To: <560f92640908061135j41f35bfevcd1476ce9ead38a4@mail.gmail.com>
References:  <560f92640908061135j41f35bfevcd1476ce9ead38a4@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Nerius Landys wrote:
> Hi.  I am attempting to secure some workstations in such a way that a
> user would not be able gain full control of the computer (only user
> access). However, they are able to see and touch the physical
> workstation.

I assume that users cannot tingle with the hardware, take it apart, add 
a different disk etc. and that only authorized users can physically 
access the computer. That's what physical security is about.

I understand you may have some authorized user who will nevertheless try 
to gain elevated privileges. That's really logical security, local that 
is as opposed to remote/network security.

> 2. Go to loader menu and load (boot kernel) with some custom
> parameters or something.  I've secured the loader menu by
> password-protecting it (/boot/loader.conf has password) and
> /boot/loader.conf is not world-readable.
> 
> And I'm sure there are other things, I just forgot them.

You can configure the loader such as not to present any loader menu but 
boot right away. If you need the option of booting into single user 
mode, then you can password protect single user mode.

> So my question is: Is this [securing of the workstation] worthwhile,
> or should I just forget about this kind of security?  I want to make
> it so that the only way to gain full control of the computer is by
> physically opening up the box.

You can always make it more difficult, which should give you less to 
worry about. You have to weigh how much work it takes against how much 
you really have to worry about, then decide when it's enough.

How about running diskless? How about centralized authentication with 
NIS or LDAP?

Another option is to disable root locally, that is the account still 
exist but with * in the password field.. If each workstation runs sshd 
you can use key based authentication to gain privileged access remotely 
while local access is disabled.

> I noticed that boot2 brings up a menu like this one when I press space
> during the initial boot blocks:
> 
>>> FreeBSD/i386 BOOT
> Default: 0:ad(0,a)/boot/loader
> boot:
> 
> I guess it would be possible to stick in a floppy disk or something
> and boot from there?  So my question is, is this a threat to my plan,
> and if so, how can I disable this prompt?

you've still got floppies? wow. How about trying to boot a floppy with 
your current configuration? I'm not sure that it will work at that stage 
if it has been disabled in the bios. It might be possible to load the 
kernel from the harddisk then tell the kernel to mount the floppy as 
root device. You could solve that by compiling a kernel without floppy 
support and delete the kernel module.

You need to learn how to script the loader, read the source code, I 
don't recall finding much documentation on that last time I looked.

Others suggest you encrypt the harddrive, I don't find it very useful in 
  your case, I assume your users need to access the systems and use them 
for the intended purposes and you just want to protect against someone 
trying to escalate his privileges.

If you encrypt partitions with geli then you'll have to enter the 
password every time somebody reboots. However, you should consider 
encrypted swap and temporary partition, together with forced reboot on 
logout you avoid session data getting in the hands of the next user.

BR, Erik
-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A7B6010.2090506>