1. Overview
There are three critical security reasons to set a password to protect a Linux boot loader. First of all, It is to prevent the access to Single User Mode. If attackers can boot the system into single user mode, they are logged in automatically as root without being prompted for the root password. Secondly, It is to prevent access to the GRUB Console. If the machine uses GRUB as its boot loader, an attacker can use the use the GRUB editor interface to change its configuration or to gather information using the cat command. Thirdly, It is to prevent access to Non-Secure Operating Systems. If it is a dual-boot system, an attacker can select at boot time an operating system, such as DOS, which ignores access controls and file permissions.
In this article we will talk about how to protect grub2 bootloader with password in RHEL/CentOS 7 to follow IT security standard.
2. Prerequisites
In this article, it is presumed that:
a. You already have RHEL/CentOS 7 installed.
b. You have a root access to your installed RHEL/CentOS 7.
3. Generating Encrypted Password
Since plaintext passwords are a security risk, We need to generate a hash for the password by running the command grub2-mkpasswd-pbkdf2. After execute the command it will ask to enter password, So here you enter the password which is you want to set to protect GRUB2 Bootloader.
# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.CDB73BC2BCAA1A22693A88D492E373B28E5528FF1526C2252F3A4B0C5CEB7B588552470CB9AF606D652F0FA59B8491359A5B9E25EA6513D704A49AE59353E555.F5186F1B4B578FEF28D8C5656BF5E35EA77514A08685B4A18089B8EF14124B3C9F15FA73E34310860B77D8EF16FF0A6BBBC46C8DB2507A81572DD67A4D9AC6B1
4. Setting the Password on GRUB2 main Configuration File
So now we have the encrypted password which we have to set on GRUB2 Bootloader main configuration file which is grub.cfg.
| Warning!!!: Don NOT manually add the superuser account to grub.cfg! Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. |
So we have to copy the encrypted password on GRUB2 custom menu i.e. 40_custom which is located at /etc/grub.d/.
# cd /etc/grub.d/ # ll total 72 -rwxr-xr-x. 1 root root 8702 Nov 22 22:51 00_header -rwxr-xr-x. 1 root root 992 Jun 16 2016 00_tuned -rwxr-xr-x. 1 root root 232 Nov 22 22:51 01_users -rwxr-xr-x. 1 root root 10781 Nov 22 22:51 10_linux -rwxr-xr-x. 1 root root 10275 Nov 22 22:51 20_linux_xen -rwxr-xr-x. 1 root root 2559 Nov 22 22:51 20_ppc_terminfo -rwxr-xr-x. 1 root root 11169 Nov 22 22:51 30_os-prober -rwxr-xr-x. 1 root root 214 Nov 22 22:51 40_custom -rwxr-xr-x. 1 root root 216 Nov 22 22:51 41_custom -rw-r--r--. 1 root root 483 Nov 22 22:51 README
Before edit the 40_custom menu file we recommend you to take a backup of this file first. In the following we will use superuser account name “systems”.
# cp 40_custom 40_custom.old
# vim 40_custom
set superusers="systems"
password_pbkdf2 systems grub.pbkdf2.sha512.10000.CDB73BC2BCAA1A22693A88D492E373B28E5528FF1526C2252F3A4B0C5CEB7B588552470CB9AF606D652F0FA59B8491359A5B9E25EA6513D704A49AE59353E555.F5186F1B4B578FEF28D8C5656BF5E35EA77514A08685B4A18089B8EF14124B3C9F15FA73E34310860B77D8EF16FF0A6BBBC46C8DB2507A81572DD67A4D9AC6B1
| Recommendation!!!: Don NOT use common admin account names for the grub2 superuser! Avoid using common admin account names like, root, admin or administrator for the grub2 superuser account. It is recommend that the bootloader superuser account password must differ from the root credentials. |
5. Updating the grub.cfg File
Let start update the grub.cfg file by using command grub2-mkconfig, but first we should backup the grub.cfg file.
# cd /boot/grub2/ # cp grub.cfg grub.cfg.old # grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-3.10.0-514.10.2.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-514.10.2.el7.x86_64.img Found linux image: /boot/vmlinuz-3.10.0-514.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-514.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-e81bfbb14a464518a84cf05178229800 Found initrd image: /boot/initramfs-0-rescue-e81bfbb14a464518a84cf05178229800.img done
After update the GRUB2 Bootloader main configuration file the encrypted password will set on grub.cfg file, We can check it by open the file using cat or less command and we can see as below the password is there on grub.cfg file on the 40_custom Section.
# cd /boot/grub2 # cat grub.cfg ### BEGIN /etc/grub.d/40_custom ### # This file provides an easy way to add custom menu entries. Simply type the # menu entries you want to add after this comment. Be careful not to change # the 'exec tail' line above. set superusers="systems" password_pbkdf2 systems grub.pbkdf2.sha512.10000.CDB73BC2BCAA1A22693A88D492E373B28E5528FF1526C2252F3A4B0C5CEB7B588552470CB9AF606D652F0FA59B8491359A5B9E25EA6513D704A49AE59353E555.F5186F1B4B578FEF28D8C5656BF5E35EA77514A08685B4A18089B8EF14124B3C9F15FA73E34310860B77D8EF16FF0A6BBBC46C8DB2507A81572DD67A4D9AC6B1 ### END /etc/grub.d/40_custom ###
6. Testing
Now let restart the system to check if GRUB Bootloader is protected with password that we have set above.
# reboot
After restart the system interrupt the normal boot process by pressing SPACE BAR and select the GRUB menu as highlighted in the picture below and then press e to edit the GRUB.
It will ask for Username and Password as shown in the picture below. Enter the Username as “systems” and Password which we have set above.
After a successful authentication we will be able edit the GRUB2 Bootloader as shown in the picture below.
7. Conclusion
Now you just have done with all required configuration to protect your Linux RHTL/CentOS 7 boot loader. Having a boot loader protected with a password is a security standard and it will be raised by IT security audit if it is not yet done. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
