Grub2 is the kernel bootloader in Red Hat Linux. It is used to store kernel boot parameters and provides a mechanism to interact with the kernel boot command line. Any user who has local access to a Linux machine can attain root access by interrupting the bootloader and editing the kernel command line to enter single user mode. This gives the attacker root access to the system even if they are not authorized to have it!
In order to interrupt this behavior in the Grub bootloader, a password can be set by performing the following steps.
Create a password hash
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.380AD91E6C36BB4018B5CABDAFF5CABC52A16B6EFF503B6BB2E21199C006C526AEE3A2FF8CF41F9A07AEFB1E8E2275ABB44C41B1429B9C5D509786E2B57A51DA.989F1E9FAC061899E1BB8CB38D2119B26E6CE79A5CBB637E5A611AE099EBBF7CD9BCF1A3EC516CE0E4AD007B7DF8E679220BC845E07E440F134DED2537081F54
Copy the hash that’s generated and create an entry in the 40_custom config file
Enter the following lines at the end of the file:
password_pbkdf2 root grub.pbkdf2.sha512.10000.380AD91E6C36BB4018B5CABDAFF5CABC52A16B6EFF503B6BB2E21199C006C526AEE3A2FF8CF41F9A07AEFB1E8E2275ABB44C41B1429B9C5D509786E2B57A51DA.989F1E9FAC061899E1BB8CB38D2119B26E6CE79A5CBB637E5A611AE099EBBF7CD9BCF1A3EC516CE0E4AD007B7DF8E679220BC845E07E440F134DED2537081F54
Now execute the command to create a new grub2 config file that includes the new password entry
grub2-mkconfig -o /etc/grub2.cnf
And finally, reboot your system, and when presented with the list of kernel boot optioms, press ‘e’ to edit, and you should be prompted for a username and password.