GRUB can be configured to address the first two issues listed in Section 4.2.2, “Boot Loader Passwords” by adding a password directive to its configuration file. To do this, first decide on a password, then open a shell prompt, log in as root, and type:

        /sbin/grub-md5-crypt
      

When prompted, type the GRUB password and press Enter. This returns an MD5 hash of the password.

Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the file and below the timeout line in the main section of the document, add the following line:

         password --md5 <password-hash>
      

Replace <password-hash> with the value returned by /sbin/grub-md5-crypt^[6].

The next time the system boots, the GRUB menu does not allow access to the editor or command interface without first pressing p followed by the GRUB password.

Unfortunately, this solution does not prevent an attacker from booting into a non-secure operating system in a dual-boot environment. For this, a different part of the /boot/grub/grub.conf file must be edited.

Look for the title line of the non-secure operating system and add a line that says lock directly beneath it.

For a DOS system, the stanza should begin similar to the following:

         title DOS lock 
      

To create a different password for a particular kernel or operating system, add a lock line to the stanza, followed by a password line.

Each stanza protected with a unique password should begin with lines similar to the following example:

         title DOS lock password --md5 <password-hash>