402 lines
6.1 KiB
HTML
402 lines
6.1 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Magic SysRq key</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Remote Serial Console HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Security"
|
|
HREF="security.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Non-interactive boot sequence"
|
|
HREF="security-rhl-prompt.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Adjust behaviour of CtrlAltDelete"
|
|
HREF="security-ctrlaltdel.html"></HEAD
|
|
><BODY
|
|
CLASS="SECTION"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Remote Serial Console HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="security-rhl-prompt.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 9. Security</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="security-ctrlaltdel.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECTION"
|
|
><H1
|
|
CLASS="SECTION"
|
|
><A
|
|
NAME="SECURITY-SYSRQ"
|
|
></A
|
|
>9.9. Magic <B
|
|
CLASS="KEYCAP"
|
|
>SysRq</B
|
|
> key</H1
|
|
><P
|
|
>The <SPAN
|
|
CLASS="QUOTE"
|
|
>"magic <B
|
|
CLASS="KEYCAP"
|
|
>SysRq</B
|
|
> key"</SPAN
|
|
> is a key
|
|
sequence that allows some basic commands to be passed directly to
|
|
the kernel. Kernel software developers use this interface to debug
|
|
their software. Under most circumstances it can also be used to
|
|
uncleanly reboot the computer, something that is otherwise
|
|
difficult or expensive to do remotely.</P
|
|
><P
|
|
>For computers that are not used for kernel software
|
|
development the magic <B
|
|
CLASS="KEYCAP"
|
|
>SysRq</B
|
|
> key makes an ideal
|
|
denial of service device. A few unauthenticated keystrokes and the
|
|
computer is dead in the water. The console, serial or otherwise,
|
|
must be in an area with access limited to trusted people.</P
|
|
><P
|
|
>The serial console uses the <SPAN
|
|
CLASS="ACRONYM"
|
|
>RS-232</SPAN
|
|
> break
|
|
function as the <SPAN
|
|
CLASS="QUOTE"
|
|
>"magic <B
|
|
CLASS="KEYCAP"
|
|
>SysRq</B
|
|
> key"</SPAN
|
|
>. A
|
|
<SPAN
|
|
CLASS="QUOTE"
|
|
>"break"</SPAN
|
|
> is a period of no transmission on the serial
|
|
line, on traditional terminals it is activated by pressing a key
|
|
labeled <B
|
|
CLASS="KEYCAP"
|
|
>Break</B
|
|
>.</P
|
|
><P
|
|
>Anyone can dial into a modem and send a break, so if the
|
|
serial console is attached to a modem we need to disable the magic
|
|
<B
|
|
CLASS="KEYCAP"
|
|
>SysRq</B
|
|
> key . If the serial console is attached to
|
|
a terminal server which asks for authentication, or is attached
|
|
directly to another terminal using a null modem cable then you may
|
|
decide to activate the magic <B
|
|
CLASS="KEYCAP"
|
|
>SysRq</B
|
|
> key.</P
|
|
><P
|
|
>The magic <B
|
|
CLASS="KEYCAP"
|
|
>SysRq</B
|
|
> key can be disabled by
|
|
setting a kernel variable or by not compiling support for the
|
|
key.</P
|
|
><P
|
|
>Writing a <TT
|
|
CLASS="LITERAL"
|
|
>0</TT
|
|
> into
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/proc/sys/kernel/sysrq</TT
|
|
> will disable the magic
|
|
<B
|
|
CLASS="KEYCAP"
|
|
>SysRq</B
|
|
> key. The command <B
|
|
CLASS="COMMAND"
|
|
>sysctl</B
|
|
>
|
|
can also be used:</P
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="SECURITY-SYSRQ-SYSCTL"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-10. Using <B
|
|
CLASS="COMMAND"
|
|
>sysctl</B
|
|
> to defeat the magic
|
|
<B
|
|
CLASS="KEYCAP"
|
|
>SysRq</B
|
|
> key</B
|
|
></P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
><TT
|
|
CLASS="PROMPT"
|
|
>bash#</TT
|
|
> <B
|
|
CLASS="COMMAND"
|
|
>sysctl -w kernel.sysrq=0</B
|
|
></PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
>Your Linux distribution may have a file
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/sysctl.conf</TT
|
|
> which is used to run
|
|
<B
|
|
CLASS="COMMAND"
|
|
>sysctl</B
|
|
> during the boot of the machine. Add the
|
|
lines:</P
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="SECURITY-SYSRQ-SYSCTLCONF"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-11. Configuring <TT
|
|
CLASS="FILENAME"
|
|
>/etc/sysctl.conf</TT
|
|
> to defeat
|
|
the magic <B
|
|
CLASS="KEYCAP"
|
|
>SysRq</B
|
|
> key</B
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
># Disables the magic SysRq key
|
|
kernel.sysrq = 0</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
>Even when setting the magic <B
|
|
CLASS="KEYCAP"
|
|
>SysRq</B
|
|
> key off in
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/sysctl.conf</TT
|
|
> there is a period of
|
|
vulnerability after the kernel boots but before contents of the
|
|
file are applied.</P
|
|
><P
|
|
>It is much better to compile your own kernel and set the
|
|
following configuration parameter:</P
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="SECURITY-SYSRQ-MENUCONFIG"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-12. Kernel <B
|
|
CLASS="COMMAND"
|
|
>make menuconfig</B
|
|
> showing disabled
|
|
<B
|
|
CLASS="KEYCAP"
|
|
>SysRq</B
|
|
> key</B
|
|
></P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>Kernel hacking --->
|
|
[ ] Magic SysRq key</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
>This should place the following configuration parameter in
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/usr/src/linux/.config</TT
|
|
>.</P
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="SECURITY-SYSRQ-DOTCONFIG"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-13. Kernel <TT
|
|
CLASS="FILENAME"
|
|
>.config</TT
|
|
> showing disabled
|
|
<B
|
|
CLASS="KEYCAP"
|
|
>SysRq</B
|
|
> key</B
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
># CONFIG_MAGIC_SYSRQ is not set</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="security-rhl-prompt.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="security-ctrlaltdel.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Non-interactive boot sequence</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="security.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Adjust behaviour of <B
|
|
CLASS="KEYCAP"
|
|
>Ctrl</B
|
|
>-<B
|
|
CLASS="KEYCAP"
|
|
>Alt</B
|
|
>-<B
|
|
CLASS="KEYCAP"
|
|
>Delete</B
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |