How can I protect against single user mode

Question

Hello I was wondering how I could protect against single user mode for both init and systemd

Answer 1

Potential Attacks

Single User Mode

This is the easiest way to gain unauthorised access to a Linux system is to boot the server into Single User Mode because it does not, by default, require a root password to gain root level access. Single User Mood can be accessed by power cycling the machine and interrupting the boot process. To boot into single user mode where the GRUB bootloader is used perform the following; interrupt the boot process, press e to edit the boot configuration file, append to the line starting Linux one of either s, S, 1 or systemd. unit=[rescue.target, emergency.target, rescue] to change the argument being passed to the kernel during boot to boot into Single User Mode, then press ctrl+x.

Protecting Against Single User Mode

For a traditional init based system

As root edit the file /etc/sysconfig/init then on the line SINGLE=/sbin/sushell change sushell TO sulogin.

For a systemd based system

The target configuration need to be altered for the root password to be prompted for. The targets are located in /lib/systemd/system the files which need alteration are emergency.service and rescue.service. Alter the line starting ExecStart=-/bin/sh –c “/usr/sbin/sushell; ……” and change the /usr/sbin/sushell to/usr/sbin/sulogin in both emergency.service and rescue.service.

To check this has taken affect

Then save changes and reboot to confirm the alteration has taken affect, if the alteration was success when booting into single user mode it shall ask for the root password.

Root Password

By default, some Linux distributions do not have root password sets, this can be checked by running the command head -1 /etc/shadow and if the second column, using a colon as a delimiter, is an exclamation mark then no password has been set. If no root password is set, then regardless of if the system is set to prompt for a password for Single User Mode or not it will just load root access.

Securing Bootloader

Insecure bootloaders can result in the bootloader being bypassed completely and a shell being used to gain direct root level access to the system. This is done by interrupting the GRUB boot process and appending init=/bin/bas to the line beginning linux16. This will tell the kernel to use bash instead of init.

Protecting against bootloader side loading

The GRUB bootloader can be password protected by placing the configuration in /etc/grub.d/40_custom file because this file will remain un touched by updates and upgrades to the boot loader. In /etc/grub.d/40_custom add set superusers=”admin” then password admin after that save and exit the file and run the following command grub2-mkpasswd-… (allow tab completion to finish this command so that the system compatible script is run) the output of this command from grub2. Onwards need to be added to the end of the line password admin in /etc/grub.d/40_custom. After that the grub file need to be recompiled by running the command grub2-mkconfig –o /boot/grub2/grub.cfg for centos or update-grub¬ on debian.

To check this has taken affect

Then save changes and reboot to confirm the alteration has taken affect, if the alteration was success when booting and wanting to change the grub setting you will need to supply the username admin and the encrypted password.

Protecting Against Recovery Attack

These measures can aid in protection however, if a disk is used the recover Linux feature on the disk can be used to mount the file system and alter the GRUB setting from the disk. To protect against make any removable media have a lower boot priority than the boot drive and password protect the BIOS and boot option menu to stop someone who hasn’t got access altering the boot order and booting into a disk to make changes to the system.