Secure Grub

Prevent Single User Login

For init systems....

Edit the file: /etc/sysconfig/init

Find the line referencing sushell and edit it to read:

SINGLE=/sbin/sulogin

For systemd systems......

cd /lib/systemd/system

edit 2 files here: emergency.service and rescue.service

In both files look for the sushell parameter and change it to sulogin.

e.g: ExecStart=-/bin/sh -c "/usr/bin/sushell..... should read:

ExecStart=-/bin/sh -c "/usr/bin/sulogin.....

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Password protect GRUB

First be sure you have given root a password. Otherwise all bets are off.

Issue the command:

grub-mkpasswd-pbkdf2

Enter a password twice and then you will get a string starting with grub.pbkdf2.sha512.10000...........

Copy that entire string!

Now:

cd /etc/grub.d/

vi 40_custom

Add the following lines to the end (note: the superuser can be any name, but you will have to remember it should you wish to edit grub for any reason during boot). The second line contains the string you copied earlier.

set superusers="root"

password_pbkdf2 root grub.pbkdf2.sha512.10000...........

Save the file and issue the command:

update-grub