chkboot: monitor unencrypted boot volume

security_compWhile you can encrypt every other partition on your system, the boot volume remains unencrypted, making it vulnerable to outside attacks. chkboot uses simple techniques to ensure that your boot volume is uncompromisable between reboots.

chkboot stores the sha256 checksum of every boot file and the MBR of the boot volume (if it exists) in an encrypted volume of the system. It then compares this data against the data generated in every boot. It maintains a log with timestamps (which helps in reviewing a system activity if required) as well as a temporary small list with files changed which is cleared on next boot after notifying the user of the changes.

Support init systems

  • initcpio: If your system uses initcpio, add ‘chkboot’ to the end of your modules array to have chkboot run automatically when you upgrade Linux.
  • systemd: If your system uses systemd, you should enable the chkboot service to have your boot partitioned checked every time your system boots.

Installation

Run the following commands to install chkboot on Ubuntu:

$ git clone https://github.com/grazzolini/chkboot
$ cd chkboot
$ sudo make install
// install initcpio component
$ sudo make install-initcpio
// install systmd component
$ sudo make install-systemd

Usage

Components:

/etc/default/chkboot.conf: chkboot configuration file. must be setup first. Examples availabel in the file.

chkboot: needs to be run as root to be effective. Generates sha256 checksum and compares against the previously generated data. Does the bookkeeping as well.

chkboot-check: can be run by any user who can view /var/lib/chkboot. Displays a warning and the list of changed files.

On GitHub: chkboot

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s