LILO is the most commonly used boot loader for Linux. It manages the boot process and can boot Linux kernel images from floppy disks, hard disks or can even act as a boot manager for other operating systems. LILO is very important in the Linux system and
for this reason, we must protect it the best we can. The most important configuration file of LILO is the lilo.conf file, which resides under the /etc directory. It is with this file that we can
configure and improve the security of our LILO program and Linux system. Following are three important options that will improve the security of our valuable LILO program.
Adding: timeout=00This option controls how long in seconds LILO waits for user input before booting to the default selection. One of the requirements of C2 security is that this interval be set to 0 unless the system dual boots something else.
Adding: restrictedThis option asks for a password only, if parameters are specified on the command line (e.g. linux single). The option restricted can only be used together with the password option. Make sure you use this one on each image.
Adding: password=<password>This option asks the user for a password when trying to load the Linux system in single mode. Passwords are always case-sensitive, also make sure the
/etc/lilo.conffile is no longer world readable, or any user will be able to read the password.
Procedure 5.1. An example of protected lilo.conf file.
Edit the lilo.conf file vi
/etc/lilo.confand add or change the above three options as show:boot=/dev/sda map=/boot/map install=/boot/boot.b prompt timeout=00 ß change this line to 00. Default=linux restricted ß add this line. password=<password>
image=/boot/vmlinuz-2.2.12-20
label=linux
initrd=/boot/initrd-2.2.12-10.img
root=/dev/sda6
read-only
add this line and put your password.
Because the configuration file
/etc/lilo.confnow contains unencrypted passwords, it should only be readable for the super-user root.[root@deep] /# chmod 600 /etc/lilo.conf will be no longer world readable.Now we must update our configuration file
/etc/lilo.conffor the change to take effect.[root@deep] /# /sbin/lilo -v to update the lilo.conf file.One more security measure you can take to secure the
lilo.conffile is to set it immutable, using the chattr command. To set the file immutable simply, use the command:[root@deep] /# chattr +i/etc/lilo.confAnd this will prevent any changes accidental or otherwise to the
lilo.conffile. If you wish to modify thelilo.conffile you will need to unset the immutable flag: To unset the immutable flag, use the command:[root@deep] /# chattr -i/etc/lilo.conf