Secure the Grub Boot Loader

To add the Grub boot loader to the security posture, perform the following steps.

About this task

Securing the Grub boot loader is an important addition to the security posture for the operating system where EFA is deployed. There are two general phases for securing the boot loader:
  • Set a password in the Grub configuration to harden against modifications to the Linux kernel boot-time command line.
  • Set a password for the ‘root‘ user to protect against attempts to acquire single-user mode at boot.

Procedure

  1. Set a password in the Grub configuration:
    1. Acquire root and then run the grub-mkpasswd-pbkdf2 command (full output is shown below).
    2. Append the password hash and the string set superusers="root" to the file /etc/grub.d/40_custom.
    3. Add --unrestricted to the "CLASS=" definition line in /etc/grub.d/10_linux.
    4. Run the command update-grub. 
      root@tpvm:~# grub-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.72C8CE3112C007A315A94DD7A63B58392DD00653ACAF8795C8528D83967FA24105B0B53D0092522460532AF05C60EE3E0C7EAC95213E865DF31580A341188ABC.843EF94A9C8EE8AC1776F5B88261D1B6DE437A70AEABE3C814764596F696EE5F7FDF912E63B4D47AE3E7BB468A6B639F00051D142698142EF158E6C141CF38B7
root@tpvm:~# cat >> /etc/grub.d/40_custom
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.A577D1C8F13C93B82EA5E25E834D5BD88ECB94A5B42F2DABE4FB7A235F3A25A12E6542CB5DA9620B2E0342FE28A4F066BE1B99F2EFBE8C0688FBE11FDB3138DD.2C7C81C7FA0404C768DDCE097B3AA8DD08C042B4FDBA089C0837F91B6C8864EE83B19CBC6D4C5C126E76FA20BE93789920913B12CAC841CA65EA3BAD5921F8D5
root@tpvm:~# <edit /etc/grub.d/10_linux to make the CLASS line look like the following>
root@tpvm:~# grep CLASS /etc/grub.d/10_linux | head -n 1
CLASS="--class gnu-linux --class gnu --class os --unrestricted"
root@tpvm:~ # update-grub
Sourcing file `/etc/default/grub'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.4.0-48-generic
Found initrd image: /boot/initrd.img-5.4.0-48-generic
Found linux image: /boot/vmlinuz-5.3.0-40-generic
Found initrd image: /boot/initrd.img-5.3.0-40-generic
Found linux image: /boot/vmlinuz-4.15.0-118-generic
Found initrd image: /boot/initrd.img-4.15.0-118-generic
Found linux image: /boot/vmlinuz-4.15.0-88-generic
Found initrd image: /boot/initrd.img-4.15.0-88-generic
done
  2. Set a password for the ‘root‘ user by running the following commands: 
    root@tpvm~:# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
9037632-00 Rev AA