In this hands-on lab, we will be looking at applying a password to the GRUB2 bootloader in SUSE Linux Enterprise. This is part of the server hardening process and is a security best practice within enterprise computing environments.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Create a Password for Use with GRUB2
Generate a GRUB2 password and copy the resulting hash:
sudo -i grub2-mkpasswd-pbkdf2Enter the
cloud_userpassword provided with the lab credentials.Copy the resulting hash, which starts with
grub.pbkdf2.sha512. (It will be really long).Open the
/etc/grub.d/40_customfile:sudo -i vim /etc/grub.d/40_customThe contents of the file should be:
#!/bin/sh exec tail -n +3 $0 # This file provides an easy way to add custom menu entries. Simply type the # menu entries you want to add after this comment. Be careful not to change # the 'exec tail' line above. set superusers="root" password_pbkdf2 root <LONG_PASSWORD_HASH>
- Edit the GRUB2 Configuration to Use the Created Password
Generate the GRUB2 configuration file:
sudo -i grub2-mkconfig --output=/tmp/grub2.cfgCopy the file:
sudo -i cp /tmp/grub2.cfg /boot/grub2/grub.cfgList the contents of the file you copied to ensure it contains the password entry:
sudo -i cat /boot/grub2/grub.cfgReboot the system:
sudo -i rebootBecause we do not have access to the boot process of the cloud server, a reboot would render the server inaccessible due to the prompt for the boot password. Reboot the server and you will no longer be able to log in.
