1

Suppose that a regular linux machine is compromised by an attacker who obtained a root shell, he can modify the system kernel or modify boot loader to load another kernel.

Is there a way to prevent such modifications?

I want to disable such things for a regular linux os (not a container) installed on a regular pc with only one regular hard disk. I don't want to use read only mediums like cdrom.

A rough theoretical solution is to patch kernel to disallow modifications to MBR plus another area of hard disk (maybe a partition) and store kernel and boot loader files in that area.

Improve this question
8
  • 3
    UEFI secure boot, if that's supported by your "regular PC". Commented Dec 2, 2018 at 8:03
  • UEFI secure boot only detects the changes on reboot, it does not prevent. I'm looking for another solution. Commented Dec 2, 2018 at 8:59
  • 2
    It certainly prevents the “modify the boot loader to load another kernel” case, in that it won’t load another kernel, and module signing prevents injection into the running kernel. I’m not sure what your model is here. Commented Dec 2, 2018 at 17:03
  • 1
    @Panther That is not how signatures work. Commented Dec 2, 2018 at 18:00
  • 1
    @Panther You are incorrect. You can certainly restrict the root user, since it is still ring 3. This requires either using something like grsecurity or the newer "lockdown" feature in Linux, combined with some kind of MAC to prevent raw access to disk block devices and the boot partition. This isn't even a rare setup either. It's actually very common. Now obviously, it doesn't protect from physical attackers... Commented Dec 24, 2018 at 4:25

1 Answer 1

Reset to default
0

Is there a way to prevent [kernel or boot loader] modifications [by root]?

No;

"UEFI secure boot" would stop a remote attacker from persisting on reboot but they could just re-hack on every reboot. Local users could just use

mokutil -#-import my_signing_key_pub.der

to get full control. The best mitigation is in depth with an IDS.

Improve this answer
2
  • 1
    This is a comment to a previous comment not an answer Commented Dec 2, 2018 at 16:35
  • @Panther I have made my answer more clear. Commented Jan 18, 2019 at 19:19

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.