5.19. The LILO and lilo.conf file

LILO is the most commonly used boot loader for Linux. It manages the boot process and can boot Linux kernel images from floppy disks, hard disks or can even act as a boot manager for other operating systems. LILO is very important in the Linux system and for this reason, we must protect it the best we can. The most important configuration file of LILO is the lilo.conf file, which resides under the /etc directory. It is with this file that we can configure and improve the security of our LILO program and Linux system. Following are three important options that will improve the security of our valuable LILO program.

Adding: timeout=00

This option controls how long in seconds LILO waits for user input before booting to the default selection. One of the requirements of C2 security is that this interval be set to 0 unless the system dual boots something else.

Adding: restricted

This option asks for a password only, if parameters are specified on the command line (e.g. linux single). The option restricted can only be used together with the password option. Make sure you use this one on each image.

Adding: password=<password>

This option asks the user for a password when trying to load the Linux system in single mode. Passwords are always case-sensitive, also make sure the /etc/lilo.conf file is no longer world readable, or any user will be able to read the password.

An example of protected lilo.conf file.

  1. Edit the lilo.conf file vi /etc/lilo.conf and add or change the above three options as show:

    
              boot=/dev/sda
                  map=/boot/map
                  install=/boot/boot.b
                  prompt
                  timeout=00 ß change this line to 00.
                  Default=linux
                  restricted ß add this line.
                  password=<password>  (1)
                  image=/boot/vmlinuz-2.2.12-20
                  label=linux
                  initrd=/boot/initrd-2.2.12-10.img
                  root=/dev/sda6
                  read-only
                  
    (1)
    add this line and put your password.

  2. Because the configuration file /etc/lilo.conf now contains unencrypted passwords, it should only be readable for the super-user root.

    
              [root@deep] /# chmod 600  /etc/lilo.conf will be no longer world readable.
                  

  3. Now we must update our configuration file /etc/lilo.conf for the change to take effect.

    
              [root@deep] /# /sbin/lilo -v to update the lilo.conf file.
                  

  4. One more security measure you can take to secure the lilo.conf file is to set it immutable, using the chattr command. To set the file immutable simply, use the command:

    
              [root@deep] /# chattr +i /etc/lilo.conf
                  
    And this will prevent any changes accidental or otherwise to the lilo.conf file. If you wish to modify the lilo.conf file you will need to unset the immutable flag: To unset the immutable flag, use the command:
    
              [root@deep] /# chattr -i /etc/lilo.conf