Any machine can be compromised if physical access is permitted. All they need is the ability to restart the system using their own startup medium. The first step in protecting any system then is to secure its location.

Even if it is physically secure, it is still wise to protect a machine from compromise during the boot process. Although allowing anyone to physically boot the machine opens it to compromise, the level of preparation and knowledge required by an attacker can be significantly increased by taking a few steps.

Traditionally, the boot process is assumed to occur in a secure location. Thus it is easy to alter the level of boot so that it stops at single-user mode rather than multi-user mode. In single-user mode, init starts a single-user shell for root access at the console. Traditionally, it was assume that an authorized root user was performing the boot process, so the single-user (root) shell did not require a password.

Protecting the single-user shell

By definition, init starts a single-user shell when it enters single-user mode. Whether this shell forces you to enter the root password before continuing or not is configurable.

For traditional init, if an inittab is found and it has an entry with runlevel S, init runs that entry instead. The program /sbin/sulogin is often used in this entry. It forces the user to enter the root password prior to starting a single-user shell. The inittab entry looks like

xx:S:wait:/sbin/sulogin

For systems that use upstart, the single-user shell is specified in /etc/sysconfig/init using the SINGLE variable. There are two possibilites for SINGLE

/sbin/sulogin - this is the password-protected single-user shell

/sbin/sushell - this shell is not password-protected.

To control whether the single-user shell is password-protected, set SINGLE to the appopriate shell.

Protecting grub

Unless there is a separate configuration entry to invoke single-user mode, getting to it requires modifying grub's default configuration entry like this:

• If grub's hiddenmenu option is enabled, you will have to interrupt the boot by typing a key on the keyboard once grub starts. This will interrupt the automatic boot and list the titles of the different boot configurations.

• Once you have the title of the configuration you want to edit selected, use e to edit it. This will open up the entry, showing its constituent lines.

• You need to modify this entry's kernel line. Select it and use e to edit it. Then append the word single to the line and type enter.

• Finally, use b to boot the selected configuration.

To disable editing boot configurations, add a password to grub. You must add the line

password --encrypted   XXXXXXXXXXXXXXXXX

to your grub.conf file, where XXXXXXXXXXXXXXXXX is the encrypted form of a password you select. 

# grep password /boot/grub/grub.conf
password --encrypted $1$AWn0c$9yM.P5qtG1LTIHOZ7Zv2a1

You can generate the encrypted password using the command grub-crypt. You can give it your choice of algorithms. I suggest the strongest encryption possible always (sha-512). sha-256 is shown here so it will fit.

# grub-crypt --sha-256
Password:
Retype password:
$5$L4/6iSJfBnqa6Vc3$zOFsi.pV.6uyOt.e3Y68XcLsbhmt5uepmNppQIBLcJ0

Then simply create (or edit) a password --encrypted line with the new encrypted password.

Note: I suggest you use stronger encryption than md5, such as sha-512, but that is very ugly to include here. Check out the man page of grub-crypt. Since the encryption algorithm used is indicated by the first two characters of the encrypted password, you can just cut and paste the new version of the encrypted password in the grub.conf file.

When grub is password-protected, the only command available (except b to boot) when you have stopped the boot at the title-display step is 'p' for enter password. After you have entered the grub password you can then proceed with editing the kernel line as above.

If you want to experiment with generating the various types of encrypted passwords, check out grub-crypt(1). It can be used to generate encrypted passwords using md5, sha-256 or sha-512. You can even use the appropriate length of sha to generate your own user passwords in a pinch (currently sha-512)).

Access to grub 

Security (and functionality) require a few restrictions on grub's data:

• Only root should be allowed to write to the /boot/grub directory, and noone but root should be allowed any access to its configuration file. 

• Once grub is installed in the MBR you should leave grub's files (except for grub.conf) alone. In particular, the stage2 file must be exactly where it was when grub was installed! Note that it is also very important that stage2 is contiguous, which is the way it is installed:

• For comparison, many files of similar size have multiple extents (fragments)