Securing GRUB on Red Hat Enterprise Linux

Many security controls are ineffective or can be overridden if an attacker gets physical access to your hosts, especially if attackers are able to reboot those hosts. For example, by rebooting your Red Hat Enterprise Linux server, an attacker can sign into single user mode and change your root password -- achieving a total compromise of your server.

    Requires Free Membership to View

More security tips:
Defining event rules in Simple Event Correlation

Firefox plug-ins: Download or tune out?

In this tip, I will look at how you can secure your GRUB boot loader with a password that will prevent unauthorized access to your hosts after a reboot.

The GRUB boot loader is the default boot loader installed by Red Hat Enterprise Linux (and other distributions such as SUSE Linux Enterprise Server, Mandriva, Fedora Core and Gentoo, amongst others).

The GRUB boot loader's behavior is to present a list of kernels that can be loaded, and after a period (if no user intervention occurs), can be booted into the default kernel. If the user intervenes by pressing a key and then by using a menu and an interactive command line, the user can select alternate kernels or specify additional parameters, such as the single statement used for booting into single user mode.

To secure the GRUB boot loader, we can apply a password to the whole loader, which you then need in order to specific kernel entries or to allow the loading of an additional menu for authenticated users. These controls are specified in the grub.conf configuration file that is located in the /boot/grub/ directory (and sym-linked to /etc/grub.conf).

Let us take a look at a password protected grub.conf file:




password --md5 $1$3Gq.k1$Swh2Z8swBjRp2wvncjVaa0

title Red Hat Enterprise Linux (2.6.18-1.2849.rhel4)

    root (hd0,0)


    kernel /vmlinuz-2.6.18-1.2849.rhel4 ro root=/dev/VolGroup00/LogVol01

    initrd /initrd-2.6.18-1.2849.rhel4.img

In this grub.conf file, we can see a kernel entry and, just above it, a line:

password -md5 $1$3Gq.k1$Swh2Z8swBjRp2wvncjVaa0

When specified, the password option disables all the interactive features of GRUB, i.e. you can't add boot parameters, enter the command line interface or edit menu entries.

To enable these functions, you need to type p whilst on the GRUB menu and enter the correct password. The --md5 option on the password indicates that the password is in MD5 format. You can create MD5 passwords for GRUB using the grub command line interface like so:

# grub

grub> md5crypt


Password: password


Encrypted: $1$3Gq.k1$Swh2Z8swBjRp2wvncjVaa0

The md5crypt function prompts you for a clear-text password and then outputs that password in MD5 format. You can then cut-and-paste the password into your grub.conf file.

Using the password option, you can also specify a menu that can be launched when the appropriated password is entered,

password --md5 $1$3Gq.k1$Swh2Z8swBjRp2wvncjVaa0 /boot/grub/admin-menu.lst

In this instance, when the appropriate password is entered, the menu specified in the /boot/grub/admin-menu.lst file would be displayed (menu files follow the standard GRUB menu structure). This allows you to specify kernel entries and other features that can be accessed only by authorized users.

In addition, you can control access to specific kernel entries. In the kernel entry above, you can see that the lock option has been specified. The lock option indicates that the kernel entry cannot be loaded unless the required password (specified in the password option) is entered. You must specify the lock option directly after the title line to lock the entry. You can also specify a password for each entry by replacing the lock option with a password option like so:

title Red Hat Enterprise Linux (2.6.18-1.2649.rhel4)

password -md5 $1$3Gq.k1$Swh2Z8swBjRp2wvncjVaa0

 root (hd0,0)

kernel /vmlinuz-2.6.18-1.2649.rhel4 ro root=/dev/VolGroup00/LogVol01

 initrd /initrd-2.6.18-1.2649.rhel4.img

Using the password option in an individual entry means you can secure different entries with different passwords, hence allowing users to launch some kernels but not others.

To prevent unauthorized changes, you also need to ensure the grub.conf file has suitable ownership and permissions. The file should be owned by root and have permissions of 0600 like so:

# chown root:root /etc/grub.conf

# chmod 0600 /etc/grub.conf

Don't forget that you can (also) set hardware-level security controls in the BIOS of your servers. Common controls that are implemented include BIOS-level passwords (and don't forget to secure the BIOS setup application with a password also) and restrictions on booting from CD, DVD, USB and the like.

Remember that GRUB security doesn't help you if someone is able to physically remove components from the server itself. The best defense against this is a locked room with a secure access mechanism.

Did you find this tip helpful? Got one of your own to share with your fellow readers? Send it along!

This was first published in December 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.