{"id":6696,"date":"2017-05-08T12:56:52","date_gmt":"2017-05-08T04:56:52","guid":{"rendered":"http:\/\/rmohan.com\/?p=6696"},"modified":"2017-05-08T14:25:36","modified_gmt":"2017-05-08T06:25:36","slug":"centos-rhel-7-how-to-password-protect-grub2-menu-entries","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6696","title":{"rendered":"CentOS \/ RHEL 7 : How to password protect GRUB2 menu entries"},"content":{"rendered":"<p>Why should a Linux boot loader have password protection?<\/p>\n<p>The following are the primary reasons for password protecting a Linux boot loader:<br \/>\n1. Preventing Access to Single User Mode \u2013 If an attacker can boot into single user mode, he becomes the root user.<br \/>\n2. Preventing Access to the GRUB Console \u2013 If the machine uses GRUB as its boot loader, an attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command.<br \/>\n3. Preventing Access to Non-Secure Operating Systems \u2013 If it is a dual-boot system, an attacker can select at boot time an operating system, such as DOS, which ignores access controls and file permissions.<\/p>\n<p>Password protecting GRUB2<\/p>\n<p>Follow the steps below to password protect GRUB2 in RHEL 7.<br \/>\n1. Remove \u2013unrestricted from the main CLASS= declaration in \/etc\/grub.d\/10_linux file.<br \/>\nThis can be done by using sed to replace the<\/p>\n<p># sed -i &#8220;\/^CLASS=\/s\/ &#8211;unrestricted\/\/&#8221; \/etc\/grub.d\/10_linux<br \/>\n2. If a user hasn\u2019t already been configured, use grub2-setpassword to set a password for the root user :<\/p>\n<p># grub2-setpassword<br \/>\nThis creates a file \/boot\/grub2\/user.cfg if not already present, which contains the hashed GRUB bootloader password. This utility only supports configurations where there is a single root user.<br \/>\nExample \/boot\/grub2\/user.cfg file :<\/p>\n<p># cat \/boot\/grub2\/user.cfg<br \/>\nGRUB2_PASSWORD=grub.pbkdf2.sha512.10000.CC6F56BFCFB90C49E6E16DC7234BF4DE4159982B6D121DC8EC6BF0918C7A50E8604CA40689A8B26EA01BF2A76D33F7E6C614E6289ABBAA6944ECB2B6DEB2F3CF.4B929016A827C36142CC126EB47E86F5F98E92C8C2C924AD0C98436E4699DF7536894F69BB904FDB5E609B9A5D67E28A7D79E8521C0B0AE6C031589FA0452A21<br \/>\n3. Recreate the grub config with grub2-mkconfig :<\/p>\n<p># grub2-mkconfig -o \/boot\/grub2\/grub.cfg<br \/>\nGenerating grub configuration file &#8230;<br \/>\nFound linux image: \/boot\/vmlinuz-3.10.0-327.el7.x86_64<br \/>\nFound initrd image: \/boot\/initramfs-3.10.0-327.el7.x86_64.img<br \/>\nFound linux image: \/boot\/vmlinuz-0-rescue-f9725b0c842348ce9e0bc81968cf7181<br \/>\nFound initrd image: \/boot\/initramfs-0-rescue-f9725b0c842348ce9e0bc81968cf7181.img<br \/>\ndone<br \/>\n4. Reboot the server and verify.<\/p>\n<p># shutdown -r now<br \/>\nNote that all defined grub menu entries will now require entering user &#038; password each time at boot; henceforth, the system will not boot any kernel without direct user intervention from the console. When prompted for user, enter \u201croot\u201d. When prompted for password, enter whatever was passed to the grub2-setpassword command :<\/p>\n<p>password protect GRUB2 menu entries<br \/>\nRemove password protection<\/p>\n<p>To remove the password protection we can add the \u2013unrestricted text in the main CLASS= declaration in \/etc\/grub.d\/10_linux file again. Another way is to remove the \/boot\/grub2\/user.cfg file which stores the hashed GRUB bootloader password.<\/p>\n<p>Restricting only GRUB menu entry editing<\/p>\n<p>If you only want to simply prevent users from entering the grub command line and edit menu entries (as opposed to completely locking menu entries), then all that is needed is execution of grub2-setpassword command.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Why should a Linux boot loader have password protection?<\/p>\n<p>The following are the primary reasons for password protecting a Linux boot loader: 1. Preventing Access to Single User Mode \u2013 If an attacker can boot into single user mode, he becomes the root user. 2. Preventing Access to the GRUB Console \u2013 If the machine [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6696"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6696"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6696\/revisions"}],"predecessor-version":[{"id":6697,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6696\/revisions\/6697"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}