• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to Password Protect GRUB2 in Oracle Enterprise Linux 7

By admin

Why should a Linux boot loader have password protection?

The following are the primary reasons for password protecting a Linux boot loader:
1. Preventing Access to Single User Mode – If an attacker can boot into single user mode, he becomes the root user.
2. Preventing Access to the GRUB Console – If the machine uses GRUB as its boot loader, an attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command.
3. Preventing Access to Non-Secure Operating Systems – If it is a dual-boot system, an attacker can select at boot time an operating system, such as DOS, which ignores access controls and file permissions.

1. Configuring GRUB2 to Require a Password only for Modifying Entries

To require password authentication for modifying GRUB 2 entries, follow these steps:

1. Run the grub2-setpassword command as root:

# grub2-setpassword

Enter password:
Confirm password:

2. Enter and confirm the password. That’s all there is to it. The password hash will be stored in the /boot/grub2/user.cfg file in the encrypted format.

3. With this change, modifying a boot entry during booting requires you to specify the credentials.

protect GRUB2 menu entries

2. Configuring GRUB 2 to Require a Password for Modifying and Booting Entries

To also require password for booting an entry, follow these steps after setting the password with grub2-setpassword:

1. Open the /boot/grub2/grub.cfg file.

2. Find the boot entry that you want to protect with password by searching for lines beginning with menuentry.

3. Delete the –unrestricted parameter from the menu entry block.

4. Save and close the file.

Filed Under: Linux, OEL 7

Some more articles you might also be interested in …

  1. CentOS / RHEL 7 : unable to start vsftpd service
  2. How To Migrate Existing Iptables rules to Nftables In CentOS/RHEL 8
  3. Audit Rule Configuration not Reflected – How to troubleshoot
  4. CentOS / RHEL : How to find which user run a specific command?
  5. XFS error: Unable to mount filesystem With Noacl Permission in CentOS/RHEL 7
  6. OpenLDAP Server and Client Utilities list
  7. CentOS / RHEL : DNS servers in /etc/resolv.conf change after a reboot/network service restart. How to make them permanent
  8. ‘docker images’ command error – “Permission Denied”
  9. CentOS / RHEL : How to prevent disabled repositories from being downloaded into the yum cache
  10. CentOS / RHEL : How to identify/match LUN presented from SAN with underlying OS disk

You May Also Like

Primary Sidebar

Recent Posts

  • How to disable ACPI in CentOS/RHEL 7
  • How to Use real-time query to access data on a physical standby database
  • CentOS/RHEL 8: “ACPI MEMORY OR I/O RESET_REG” Server Hung after reboot
  • How to Create a Physical Standby Database by Using SQL and RMAN Commands
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary