RHEL 7 / CentOS 7.
This post is to Secure Single User Mode / Rescue Mode / Emergency mode on RHEL 7 / CentOS 7 in Grub2, By performing this Article you will able to secure your Grub2 Edits with Username and Password,
It is always a good idea to protect your Grub2.
In This Howto, We will protect Grub2 with Encrypted Password and Plain Password.
To Follow this how to make sure you have root password to make changes in Grub2, Please make sure you are doing exact as per instructions and going through notes.
Do this on your own risk, You will be the only responsible if anything goes wrong in any case 🙂
Protect Grub2 with Plain Password Method
1. Login as a root user or user with rights to edit grub2 configuration file (sudo).
[tejas-barot@RHEL7HARDEN ~]$ su –
2. Make a backup of existing grub.cfg and default /etc/grub.d/10_linux so if anything goes wrong we can always restore it.
[root@RHEL7HARDEN ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.orig
[root@RHEL7HARDEN ~]# cp /etc/grub.d/10_linux /etc/grub.d/10_linux.orig
3. Now, Adding Entries to protect Grub2 with username and password:
Note1: Replace Username and Password from below lines and Add below lines at last in file /etc/grub.d/10_linux
Note2: Make sure you don’t insert following entries multiple time.
[root@RHEL7HARDEN ~]# vi /etc/grub.d/10_linux
cat << EOF
set superusers=”mohan” password mohan test123
EOF
4. Now let us Generate New grub.cfg, Execute following command.
[root@RHEL7HARDEN ~]# grub2-mkconfig –output=/tmp/grub2.cfg
5. Now Replace this New configured grub2.cfg with existing grub2.cfg
[root@RHEL7HARDEN ~]# mv /boot/grub2/grub.cfg /boot/grub2/grub.cfg.move
[root@RHEL7HARDEN ~]# mv /tmp/grub2.cfg /boot/grub2/grub.cfg
6. That’s It, Now You can reboot and Press “e” on Grub Menu, It will ask you for the password.
Protect Grub2 with Password Encrypted Method
1. Login as a root user or user with rights to edit grub2 configuration file (sudo).
[tejas-barot@RHEL7HARDEN ~]$ su –
2. Make a backup of existing grub.cfg and default /etc/grub.d/10_linux so if anything goes wrong we can always restore it.
[root@RHEL7HARDEN ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.orig
[root@RHEL7HARDEN ~]# cp /etc/grub.d/10_linux /etc/grub.d/10_linux.orig
3. Let’s Generate Encrypted password with “grub2-mkpasswd-pbkdf2”, Once you will execute below command it will ask you for the password, Please enter password twice, It will generate password string which you need to add to 10_linux file. ( Shortened version of string, You will have to paste complete string )
[root@RHEL7HARDEN ~]# grub2-mkpasswd-pbkdf2
Enter Password:
Reenter Password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F1C4CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45
4. Now, Adding Entries to protect Grub2 with username and password:
Note1: Replace Username and Password from below lines and Add below lines at last in file /etc/grub.d/10_linux
Note2: Make sure you don’t insert following entries multiple time.
Note3: Here I have added Short String for example, you will have to add full string to make it work.
[root@RHEL7HARDEN ~]# vi /etc/grub.d/10_linux
cat << EOF
set superusers=”mohan” password_pbkdf2 mohan grub.pbkdf2.sha512.10000.62A93492C2F85EB4DC91FCD9E91933DE4A345519F9F9CAA2EF098A1BBE1272DCABE6A493F853708BE5BE46403835F0DEBD50E4A7F6E8843C402D23DB867872A9.30463770C028A430FF6760CDD55172F23861F6D9CF7458171E14F8DBCA77967C25A77313E41D7F1E57737DF36F3FF5B6CDA7B2600473289897D0EE8B35AF48EA
EOF
5. Now let us Generate New grub.cfg, Execute following command.
[root@RHEL7HARDEN ~]# grub2-mkconfig –output=/tmp/grub2.cfg
6. Now Replace this New configured grub2.cfg with existing grub2.cfg
[root@RHEL7HARDEN ~]# mv /boot/grub2/grub.cfg /boot/grub2/grub.cfg.move
[root@RHEL7HARDEN ~]# mv /tmp/grub2.cfg /boot/grub2/grub.cfg
7. That’s It, Now You can reboot and Press “e” on Grub Menu, It will ask you for the password
Recent Comments