This topic provides instructions
for adding the Grub boot loader to the security posture.
About this task
Securing the Grub boot loader is an important addition to the security posture for
the operating system where EFA is deployed. There are two general phases for
securing the boot loader:
- Set a password in the Grub configuration to harden against modifications to
the Linux kernel boot-time command line.
- Set a password for the ‘root‘ user to protect against attempts to acquire
single-user mode at boot.
Procedure
-
Set a password in the Grub
configuration:
-
Acquire root and then
run the
grub-mkpasswd-pbkdf2 command (full output is shown
below).
-
Append the password hash
and the string
set superusers="root" to the file /etc/grub.d/40_custom.
-
Add
--unrestricted to the "CLASS="
definition line in /etc/grub.d/10_linux.
-
Run the command
update-grub.
root@tpvm:~# grub-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.72C8CE3112C007A315A94DD7A63B58392DD00653ACAF8795C8528D83967FA24105B0B53D0092522460532AF05C60EE3E0C7EAC95213E865DF31580A341188ABC.843EF94A9C8EE8AC1776F5B88261D1B6DE437A70AEABE3C814764596F696EE5F7FDF912E63B4D47AE3E7BB468A6B639F00051D142698142EF158E6C141CF38B7
root@tpvm:~# cat >> /etc/grub.d/40_custom
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.A577D1C8F13C93B82EA5E25E834D5BD88ECB94A5B42F2DABE4FB7A235F3A25A12E6542CB5DA9620B2E0342FE28A4F066BE1B99F2EFBE8C0688FBE11FDB3138DD.2C7C81C7FA0404C768DDCE097B3AA8DD08C042B4FDBA089C0837F91B6C8864EE83B19CBC6D4C5C126E76FA20BE93789920913B12CAC841CA65EA3BAD5921F8D5
root@tpvm:~# <edit /etc/grub.d/10_linux to make the CLASS line look like the following>
root@tpvm:~# grep CLASS /etc/grub.d/10_linux | head -n 1
CLASS="--class gnu-linux --class gnu --class os --unrestricted"
root@tpvm:~ # update-grub
Sourcing file `/etc/default/grub'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.4.0-48-generic
Found initrd image: /boot/initrd.img-5.4.0-48-generic
Found linux image: /boot/vmlinuz-5.3.0-40-generic
Found initrd image: /boot/initrd.img-5.3.0-40-generic
Found linux image: /boot/vmlinuz-4.15.0-118-generic
Found initrd image: /boot/initrd.img-4.15.0-118-generic
Found linux image: /boot/vmlinuz-4.15.0-88-generic
Found initrd image: /boot/initrd.img-4.15.0-88-generic
done
-
Set a password for the ‘root‘
user by running the following commands:
root@tpvm~:# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
