Skip to main content
LPIC-3 Exam 303

Securing The Boot Process with GRUB Passwords

By May 23, 2018September 12th, 2022No Comments

Grub PasswordsAs we work our way through the objectives for the LPIC-3 303 exam we now look at securing the boot process with GRUB Passwords. The GRUB bootloader allows us the edit the boot process and parameters that the kernel uses during startup. This can allow malicious administrators to load a system with SELinux disabled or even have the root user’s password changed. Although the risk of this may be seen as low due to the nature of physical access to servers. It is still a risk and security is  made from many layers much like an onion. You also need to consider desktops and users who find that they can gain more access to their system by manipulating the root password.

Here we look at a CentOS 7 system and configuring a password that must be entered to change any boot entry.

Each objective is available to view online. However if you prefer to have all the content in one place and study from an eBook then the objective ‘LPIC 3 Linux Security 326.1 Host Hardening’ is now available to download for just £0.99.


Create the Encrypted Password

The GRUB password is stored in a text file and as such should be encrypted:

$ grub2-mkpasswd-pbkdf2

You will need to enter the password that you want to use and you will see the results back on the screen. Copy the text from and including ‘grub.pbkdf2.sha512……‘ We will use this later, for the moment keep it in your paste buffer.

The command in Ubuntu is grub-mkpasswd-pbkdf2

Edit the GRUB Configuration

The central GRUB configuration is /boot/grub2/grub.cfg in CentOS 7. This is a complex file that we should not edit. We can edit the file though modules. In CentOS 7 we add code to the /etc/grub.d/01_users so that we can establish the GRUB passwords that we want to use.

We should edit the file so that it is similar to the following:

#!/bin/sh -e
cat << EOF
    set superusers="root"
    password_pbkdf2 root grub.pbkdf2........

The original file will have an IF statement that we can remove and leave the file as displayed. The user account we will leave as root but this is NOT the POSIX root account, this can be any name that you choose. The name and password is entered if the boot process needs to be edited. Note that the user name is listed both in the superusers line and the password line.

Update The GRUB Configuration

To update the GRUB configuration we ennter the following command:

$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg

When we reboot the system we can boot to any entry in the GRUB boot menu but altering any entry will require the superuser name and password to be entered.