Just like in RH6.5, restricting physical access to the machine is the most important protection mechanism to protect the startup sequence. Any knowledgeable user who has physical access to the machine can break in. This is just as easy in RH7 as it was in RH6.5.

Whenever systemd goes to single-user mode (whether it is emergency or rescue, as explained in the next section), the single-user shell is password protected. Assuming the intruder does not have a rescue disk he or she can use, password-protecting grub2, as explained in the next section, is a helpful deterrent.

For the duration of this discussion, grub refers to grub2 unless specifically indicated otherwise.

Protecting grub

Unless there is a separate configuration entry to invoke single-user mode, getting to it requires modifying grub's default configuration entry like this:

• If grub has been configured with a timeout, you will have to interrupt the boot by typing a key on the keyboard once grub2 starts. This will interrupt the automatic boot and list the menuentries of the different boot configurations. The menuentry of the default configuration should be highlighted.
  

• Once you have the title of the configuration you want to edit selected, use e to edit it. This will open up the entry, showing its constituent lines. (If you have added a grub superuser and password, grub will require you to enter the superuser's name and password here. See below.)
  

• You need to modify this entry's kernel line, which on grub2 is called linux or linux16. This will require scrolling past the module load information to find it. Once you find it, simply use ^E to move the cursor to the end of the line and append the word single to the line, just like in grub1. (in grub2 there are two targets for single-user mode: rescue (single), which is the same as on 6.5, and emergency. Both activate systemd and require the root password. emergency mode does not mount the filesystems read/write and should be used only when rescue mode does not work.
  

• Finally, use ^X to boot the selected configuration.

To disable editing boot configurations, add a password to grub. 

Setting a grub password

grub2 password authentication involves both a user and a password. You can set passwords on a per-configuration basis to control who can boot various configurations, but this involves modifying the scripts in /etc/grub.d. I will leave that to you if you want to go over it.

The ability to edit configurations is controlled by the grub 'superuser'. If one is defined, the superuser must login with an account and password to be able to modify configurations or access grub's command-line. This involves a simple append of the /etc/grub.d/40_custom file and rebuilding grub's configuration file:

the superuser is set by

set superusers="name"

where name is the name of the account (root is traditional, of course, but that is the first one anyone would guess). This can be a list of accounts, space-separated.

then a password is set for each user by

password name plaintextpassword

for a plain text password (in which case you must make sure grub.cfg and 40_custom are not readable by anyone else) or

password_pbkdf2 user encryptedpassword

where encryptedpassword is generated by the grub2-mkpasswd-pbkdf2 command:

# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is encryptedpassword

encryptedpassword will start with some plaintext stuff that indicates the type of password. Leave it on.

Note: the handy program grub-password, which we have used to generate shadow-style encrypted passwords, is not available on RH7. However, you can still generate encrypted passwords using python. This is discussed in the section on passwords in the Users and Authentication section.

Example of 40_custom showing a superuser with an encrypted password

the bold text is the standard part of the file. The unbolded part is added. Of course the password must be on a single line.

Then grub's config file is rebuilt using

Access to grub 

Just like with grub1, you must protect grub's configuration files and the scripts that grub2-mkconfig uses to rebuild the configuration files. No one but root should be allowed access to these directories (/boot/grub2 and /etc/grub.d)