2. 首页 > Linux教程 > 正文

Linux教程FG034-GRUB2密码设置与安全加固

教程整理:风哥教程  |  更新时间:2026-01-25  |  教程分类:Linux教程  |  文档学习:1

1. GRUB2安全概述

GRUB2密码保护是Linux系统安全的重要组成部分,可以防止未授权用户修改启动参数、进入单用户模式或救援模式,从而保护系统免受物理访问攻击。更多学习教程www.fgedu.net.cn

参考Red Hat Enterprise Linux 10官方文档中的System administration章节 from LinuxDBA视频:www.itpux.com

# 查看当前GRUB2安全配置
# cat /etc/grub.d/00_header | grep -i password
# 如果没有输出,说明当前没有配置GRUB2密码

# 查看GRUB2用户配置文件
# ls -la /etc/grub.d/00_users
ls: cannot access ‘/etc/grub.d/00_users’: No such file or file does not exist

# 查看当前GRUB2配置中的用户设置
# grep -i “superusers\|password” /boot/grub2/grub.cfg
# 如果没有输出,说明当前没有配置密码保护

生产环境建议:所有生产服务器都应该配置GRUB2密码保护,特别是物理服务器和托管环境。密码应该定期更换,并遵循强密码策略。

2. GRUB2密码生成

GRUB2使用PBKDF2(Password-Based Key Derivation Function 2)算法来加密密码,确保密码存储的安全性。学习交流加群风哥微信: itpux-com

# 生成GRUB2密码哈希
# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF

# 生成多个用户密码
# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF

# 验证密码哈希格式
# echo “grub.pbkdf2.sha512.10000.1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF” | cut -d. -f1-3
grub.pbkdf2.sha512.10000

风哥提示:PBKDF2算法使用10000次迭代来增强密码安全性,即使密码数据库泄露,攻击者也需要大量时间和计算资源来破解密码。

3. 超级用户配置

GRUB2超级用户(superusers)具有最高权限,可以执行所有GRUB2命令,包括编辑启动项、进入救援模式等。学习交流加群风哥QQ113257174

# 创建GRUB2用户配置文件
# vi /etc/grub.d/00_users

# 添加以下内容
cat <

# 配置多个超级用户
# vi /etc/grub.d/00_users

# 添加多个超级用户
cat <

生产环境建议:建议配置至少两个超级用户账户,以防主账户密码丢失或忘记。密码应该定期更换,并遵循强密码策略。更多学习教程公众号风哥教程itpux_com

4. 启动菜单项保护

GRUB2可以为特定的启动菜单项设置密码保护,限制未授权用户访问敏感的启动选项。

# 查看当前启动菜单项
# grep “^menuentry” /boot/grub2/grub.cfg | cut -d “‘” -f2
Red Hat Enterprise Linux (5.14.0-123.el10.x86_64) 10
Red Hat Enterprise Linux (5.14.0-122.el10.x86_64) 10
Red Hat Enterprise Linux (0-rescue-1234567890abcdef1234567890abcdef) 10

# 编辑/etc/grub.d/10_linux文件,为特定菜单项添加密码保护
# vi /etc/grub.d/10_linux

# 在menuentry行之前添加–unrestricted或–users参数
# 例如,为救援模式添加密码保护
cat <<'EOF' menuentry 'Red Hat Enterprise Linux (0-rescue-1234567890abcdef1234567890abcdef) 10' --users=root { load_video set gfxpayload=keep insmod gzio insmod part_msdos insmod xfs set root='hd0,msdos1' echo 'Loading kernel ...' linux /vmlinuz-0-rescue-1234567890abcdef1234567890abcdef root=/dev/mapper/rhel-root ro rd.break echo 'Loading initial ramdisk ...' initrd /initramfs-0-rescue-1234567890abcdef1234567890abcdef.img } EOF # 重新生成GRUB2配置 # grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-5.14.0-123.el10.x86_64 Found initrd image: /boot/initramfs-5.14.0-123.el10.x86_64.img Found linux image: /boot/vmlinuz-5.14.0-122.el10.x86_64 Found initrd image: /boot/initramfs-5.14.0-122.el10.x86_64.img done # 验证菜单项保护 # grep -A 1 "rescue" /boot/grub2/grub.cfg | grep menuentry menuentry 'Red Hat Enterprise Linux (0-rescue-1234567890abcdef1234567890abcdef) 10' --users=root

# 为所有菜单项添加密码保护
# 编辑/etc/grub.d/10_linux
# vi /etc/grub.d/10_linux

# 在所有menuentry行添加–unrestricted参数
# 这样所有菜单项都需要密码才能访问

# 或者,为特定用户设置访问权限
# 编辑/etc/grub.d/40_custom
# vi /etc/grub.d/40_custom

# 添加自定义菜单项并设置用户权限
cat <<'EOF' menuentry 'Custom Rescue Mode' --users=root { load_video set gfxpayload=keep insmod gzio insmod part_msdos insmod xfs set root='hd0,msdos1' echo 'Loading kernel ...' linux /vmlinuz-5.14.0-123.el10.x86_64 root=/dev/mapper/rhel-root ro rd.break echo 'Loading initial ramdisk ...' initrd /initramfs-5.14.0-123.el10.x86_64.img } menuentry 'Debug Mode' --users=admin { load_video set gfxpayload=keep insmod gzio insmod part_msdos insmod xfs set root='hd0,msdos1' echo 'Loading kernel ...' linux /vmlinuz-5.14.0-123.el10.x86_64 root=/dev/mapper/rhel-root ro debug echo 'Loading initial ramdisk ...' initrd /initramfs-5.14.0-123.el10.x86_64.img } EOF # 重新生成GRUB2配置 # grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-5.14.0-123.el10.x86_64 Found initrd image: /boot/initramfs-5.14.0-123.el10.x86_64.img Found linux image: /boot/vmlinuz-5.14.0-122.el10.x86_64 Found initrd image: /boot/initramfs-5.14.0-122.el10.x86_64.img done

风哥提示:在生产环境中,建议为所有敏感的启动选项(如救援模式、单用户模式、调试模式)设置密码保护,防止未授权访问。

5. 密码配置验证

配置GRUB2密码后,需要验证配置是否正确生效,确保密码保护能够正常工作。

# 验证超级用户配置
# grep “set superusers” /boot/grub2/grub.cfg
set superusers=”root admin”

# 验证密码哈希
# grep “password_pbkdf2” /boot/grub2/grub.cfg
password_pbkdf2 root grub.pbkdf2.sha512.10000.1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF
password_pbkdf2 admin grub.pbkdf2.sha512.10000.ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF

# 验证菜单项保护
# grep “menuentry.*–users” /boot/grub2/grub.cfg
menuentry ‘Red Hat Enterprise Linux (0-rescue-1234567890abcdef1234567890abcdef) 10’ –users=root
menuentry ‘Custom Rescue Mode’ –users=root
menuentry ‘Debug Mode’ –users=admin

# 测试GRUB2配置
# grub2-fstest /boot/grub2/grub.cfg
Configuration file is valid

# 重启系统测试密码保护
# reboot

# 在GRUB2启动菜单中:
# 1. 尝试编辑启动项(按e键)
# 2. 系统会提示输入用户名和密码
# 3. 输入正确的用户名和密码后才能编辑

# 尝试访问受保护的菜单项
# 1. 选择受保护的菜单项
# 2. 系统会提示输入用户名和密码
# 3. 只有授权用户才能启动该菜单项

# 验证未授权访问被拒绝
# 1. 尝试输入错误的密码
# 2. 系统会拒绝访问并返回菜单

生产环境建议:在配置GRUB2密码后,务必在测试环境中验证配置的正确性,确保密码保护能够正常工作,同时不会影响正常的系统启动流程。

6. 密码恢复与重置

如果忘记GRUB2密码或密码配置错误导致无法启动系统,可以通过救援模式恢复或重置密码。

# 方法1:使用救援模式重置密码
# 1. 使用RHEL 10安装介质启动
# 2. 在启动菜单中选择”Troubleshooting” -> “Rescue a Red Hat Enterprise Linux system”
# 3. 选择”1) Continue”挂载原系统
# 4. 切换到原系统的根目录
# chroot /mnt/sysimage

# 备份原始配置
# cp /etc/grub.d/00_users /etc/grub.d/00_users.backup

# 重新生成GRUB2用户配置文件
# vi /etc/grub.d/00_users

# 添加新的超级用户配置
cat <

# 方法2:删除密码保护(紧急情况)
# 使用救援模式挂载系统
# chroot /mnt/sysimage

# 删除GRUB2用户配置文件
# rm -f /etc/grub.d/00_users

# 重新生成GRUB2配置
# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file …
Found linux image: /boot/vmlinuz-5.14.0-123.el10.x86_64
Found initrd image: /boot/initramfs-5.14.0-123.el10.x86_64.img
done

# 退出chroot环境
# exit

# 重启系统
# reboot

# 方法3:使用Live CD重置密码
# 1. 使用Live CD启动系统
# 2. 挂载原系统根分区
# mkdir /mnt/rhel
# mount /dev/mapper/rhel-root /mnt/rhel

# 切换到原系统
# chroot /mnt/rhel

# 按照方法1或方法2重置密码

风哥提示:密码恢复过程需要物理访问系统或控制台访问权限,这在一定程度上保护了系统安全。建议将密码恢复流程记录在文档中,以备不时之需。

7. 安全最佳实践

在生产环境中,GRUB2密码保护应该遵循安全最佳实践,确保系统安全性和可管理性的平衡。

# 1. 使用强密码
# 密码要求:
# – 至少12个字符
# – 包含大小写字母、数字和特殊字符
# – 不包含字典词汇或个人信息
# – 定期更换(建议每90天)

# 2. 配置多个超级用户
# vi /etc/grub.d/00_users
cat < /fgedu/shell/audit_grub.sh << 'EOF' #!/bin/bash echo "=== GRUB2 Security Audit ===" # from:www.itpux.com.qq113257174.wx:itpux-com echo "Date: $(date)" echo "" echo "1. Superusers:" grep "set superusers" /boot/grub2/grub.cfg echo "" echo "2. Password hashes:" grep "password_pbkdf2" /boot/grub2/grub.cfg | wc -l echo "" echo "3. Protected menu entries:" grep "menuentry.*--users" /boot/grub2/grub.cfg | wc -l echo "" echo "4. Configuration file permissions:" ls -l /etc/grub.d/00_users ls -l /etc/default/grub echo "" echo "5. GRUB2 configuration validity:" grub2-fstest /boot/grub2/grub.cfg echo "" echo "=== Audit Complete ===" EOF # 添加执行权限 # chmod +x /fgedu/shell/audit_grub.sh # 定期执行审计 # echo "0 6 * * 1 /fgedu/shell/audit_grub.sh >> /var/log/grub_audit.log 2>&1″ >> /etc/crontab

# 6. 密码轮换策略
# 创建密码轮换脚本
# cat > /fgedu/shell/rotate_grub_password.sh << 'EOF' #!/bin/bash # GRUB2密码轮换脚本 # from:www.itpux.com.qq113257174.wx:itpux-com # 生成新密码 NEW_PASSWORD=$(openssl rand -base64 16) NEW_HASH=$(echo -e "$NEW_PASSWORD\n$NEW_PASSWORD" | grub2-mkpasswd-pbkdf2 | tail -1 | cut -d' ' -f7) # 备份当前配置 cp /etc/grub.d/00_users /etc/grub.d/00_users.backup.$(date +%Y%m%d) # 更新密码 sed -i "s/password_pbkdf2 root .*/password_pbkdf2 root $NEW_HASH/" /etc/grub.d/00_users # 重新生成GRUB2配置 grub2-mkconfig -o /boot/grub2/grub.cfg # 记录新密码(实际生产中应该使用密码管理器) echo "New GRUB2 password: $NEW_PASSWORD" | mail -s "GRUB2 Password Rotated" admin@fgedu.net.cn echo "GRUB2 password rotated successfully" EOF # 添加执行权限 # chmod +x /fgedu/shell/rotate_grub_password.sh # 定期轮换密码(每90天) # echo "0 3 1 */3 * /fgedu/shell/rotate_grub_password.sh >> /var/log/grub_password.log 2>&1″ >> /etc/crontab
生产环境建议:建议使用密码管理器(如KeePass、LastPass)来存储GRUB2密码,避免将密码明文记录在文件中。密码轮换应该在维护窗口进行,并提前通知相关人员。

8. 审计与日志记录

GRUB2的审计和日志记录可以帮助管理员跟踪启动配置的更改,及时发现潜在的安全问题。

# 1. 记录GRUB2配置更改
# 创建日志记录脚本
# cat > /fgedu/shell/log_grub_changes.sh << 'EOF' #!/bin/bash # GRUB2配置更改日志记录 # from:www.itpux.com.qq113257174.wx:itpux-com LOG_FILE="/var/log/grub_changes.log" CONFIG_FILE="/boot/grub2/grub.cfg" # 获取当前配置的MD5哈希 CURRENT_HASH=$(md5sum $CONFIG_FILE | cut -d' ' -f1) # 检查是否存在之前的哈希记录 if [ -f /var/tmp/grub_config_hash ]; then PREVIOUS_HASH=$(cat /var/tmp/grub_config_hash) # 比较哈希值 if [ "$CURRENT_HASH" != "$PREVIOUS_HASH" ]; then echo "[$(date)] GRUB2 configuration changed" >> $LOG_FILE
echo “Previous hash: $PREVIOUS_HASH” >> $LOG_FILE
echo “Current hash: $CURRENT_HASH” >> $LOG_FILE
echo “Changed by: $(whoami)” >> $LOG_FILE
echo “” >> $LOG_FILE

# 发送告警邮件
echo “GRUB2 configuration has been changed. Please review the changes.” | \
mail -s “GRUB2 Configuration Changed” admin@fgedu.net.cn
fi
fi

# 保存当前哈希
echo $CURRENT_HASH > /var/tmp/grub_config_hash
EOF

# 添加执行权限
# chmod +x /fgedu/shell/log_grub_changes.sh

# 在GRUB2配置更新后执行
# echo “/fgedu/shell/log_grub_changes.sh” >> /etc/grub.d/99_logging
# chmod +x /etc/grub.d/99_logging

# 2. 监控GRUB2配置文件访问
# 使用auditd监控配置文件
# auditctl -w /etc/grub.d/00_users -p wa -k grub_config
# auditctl -w /etc/default/grub -p wa -k grub_config
# auditctl -w /boot/grub2/grub.cfg -p wa -k grub_config

# 查看审计日志
# ausearch -k grub_config -ts recent
—-
time->Wed Apr 2 10:00:00 2026
type=PATH msg=audit(1234567890.123:123): item=0 name=”/etc/grub.d/00_users” inode=123456 dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL
type=CWD msg=audit(1234567890.123:123): cwd=”/root”
type=SYSCALL msg=audit(1234567890.123:123): arch=c000003e syscall=2 success=yes exit=3 a0=7fffd1234567 a1=241 a2=180 a3=0 items=1 ppid=1234 pid=12345 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=123 comm=”vi” exe=”/usr/bin/vi” key=”grub_config”

# 3. 定期检查GRUB2配置完整性
# 创建完整性检查脚本
# cat > /fgedu/shell/check_grub_integrity.sh << 'EOF' #!/bin/bash # GRUB2配置完整性检查 # from:www.itpux.com.qq113257174.wx:itpux-com echo "=== GRUB2 Integrity Check ===" echo "Date: $(date)" echo "" # 检查配置文件是否存在 if [ ! -f /boot/grub2/grub.cfg ]; then echo "ERROR: GRUB2 configuration file not found" exit 1 fi # 检查配置文件语法 if ! grub2-fstest /boot/grub2/grub.cfg; then echo "ERROR: GRUB2 configuration file is invalid" exit 1 fi # 检查超级用户配置 if ! grep -q "set superusers" /boot/grub2/grub.cfg; then echo "WARNING: No superusers configured" fi # 检查密码配置 if ! grep -q "password_pbkdf2" /boot/grub2/grub.cfg; then echo "WARNING: No passwords configured" fi echo "=== Check Complete ===" EOF # 添加执行权限 # chmod +x /fgedu/shell/check_grub_integrity.sh # 定期执行检查 # echo "0 4 * * * /fgedu/shell/check_grub_integrity.sh >> /var/log/grub_integrity.log 2>&1″ >> /etc/crontab

风哥提示:审计日志应该定期归档和备份,建议保留至少6个月的审计记录。对于关键系统,应该将审计日志发送到远程日志服务器,防止日志被篡改或删除。

9. 故障排查

GRUB2密码配置可能出现各种问题,需要掌握基本的故障排查方法。 更多视频教程www.fgedu.net.cn

# 问题1:密码配置后无法启动系统
# 症状:系统启动时提示输入密码,但输入正确密码后仍无法启动

# 排查步骤:
# 1. 检查密码哈希格式是否正确
# grep “password_pbkdf2” /boot/grub2/grub.cfg
# 确保格式为:grub.pbkdf2.sha512.10000.

# 2. 检查超级用户配置
# grep “set superusers” /boot/grub2/grub.cfg
# 确保超级用户名称与密码哈希中的用户名称一致

# 3. 验证配置文件语法
# grub2-fstest /boot/grub2/grub.cfg

# 4. 如果配置错误,使用救援模式重置密码
# 参见”密码恢复与重置”部分

# 问题2:密码保护未生效
# 症状:可以编辑启动项或访问受保护菜单项而不需要密码

# 排查步骤:
# 1. 检查是否配置了超级用户
# grep “set superusers” /boot/grub2/grub.cfg

# 2. 检查是否配置了密码
# grep “password_pbkdf2” /boot/grub2/grub.cfg

# 3. 检查菜单项是否设置了–users参数
# grep “menuentry.*–users” /boot/grub2/grub.cfg

# 4. 检查配置文件是否正确生成
# ls -la /etc/grub.d/00_users
# chmod 755 /etc/grub.d/00_users
# grub2-mkconfig -o /boot/grub2/grub.cfg

# 问题3:密码配置导致启动菜单项消失
# 症状:配置密码后,某些启动菜单项不再显示

# 排查步骤:
# 1. 检查菜单项权限设置
# grep “menuentry” /boot/grub2/grub.cfg | head -5

# 2. 如果菜单项设置了–users参数,确保当前用户有权限
# 检查当前登录用户是否在超级用户列表中

# 3. 如果需要,添加–unrestricted参数使菜单项对所有用户可见
# 编辑/etc/grub.d/10_linux,在menuentry行添加–unrestricted

# 问题4:密码哈希生成失败
# 症状:grub2-mkpasswd-pbkdf2命令失败或输出格式不正确

# 排查步骤:
# 1. 检查grub2-tools是否正确安装
# rpm -qa | grep grub2-tools

# 2. 重新安装grub2-tools
# dnf reinstall grub2-tools

# 3. 确保输入密码时没有特殊字符问题
# 使用简单的密码测试

# 4. 检查系统locale设置
# echo $LANG
# export LANG=en_US.UTF-8

生产环境建议:在进行任何GRUB2配置更改前,务必备份原始配置文件。建议在测试环境中验证所有配置更改,然后再应用到生产环境。

10. 生产环境部署

在生产环境中部署GRUB2密码保护需要综合考虑安全性、可管理性和系统可用性。

# 生产环境GRUB2安全配置脚本
# cat > /fgedu/shell/secure_grub.sh << 'EOF' #!/bin/bash # GRUB2生产环境安全配置脚本 # from:www.itpux.com.qq113257174.wx:itpux-com echo "=== GRUB2 Security Configuration ===" echo "Date: $(date)" echo "" # 1. 备份原始配置 echo "1. Backing up original configuration..." cp /etc/default/grub /etc/default/grub.backup.$(date +%Y%m%d) cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.backup.$(date +%Y%m%d) # 2. 生成强密码 echo "2. Generating strong passwords..." ROOT_PASSWORD=$(openssl rand -base64 24) ADMIN_PASSWORD=$(openssl rand -base64 24) # 生成密码哈希 ROOT_HASH=$(echo -e "$ROOT_PASSWORD\n$ROOT_PASSWORD" | grub2-mkpasswd-pbkdf2 | tail -1 | cut -d' ' -f7) ADMIN_HASH=$(echo -e "$ADMIN_PASSWORD\n$ADMIN_PASSWORD" | grub2-mkpasswd-pbkdf2 | tail -1 | cut -d' ' -f7) # 3. 创建用户配置文件 echo "3. Creating user configuration..." cat > /etc/grub.d/00_users << USEREOF set superusers="root admin" password_pbkdf2 root $ROOT_HASH password_pbkdf2 admin $ADMIN_HASH USEREOF chmod 600 /etc/grub.d/00_users # 4. 配置启动超时 echo "4. Configuring boot timeout..." sed -i 's/^GRUB_TIMEOUT=.*/GRUB_TIMEOUT=5/' /etc/default/grub # 5. 配置内核参数 echo "5. Configuring kernel parameters..." sed -i 's/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rhel\/root rd.lvm.lv=rhel\/swap rhgb quiet transparent_hugepage=never numa=off"/' /etc/default/grub # 6. 重新生成GRUB2配置 echo "6. Regenerating GRUB2 configuration..." grub2-mkconfig -o /boot/grub2/grub.cfg # 7. 验证配置 echo "7. Verifying configuration..." if grub2-fstest /boot/grub2/grub.cfg; then echo "Configuration is valid" else echo "ERROR: Configuration is invalid" exit 1 fi # 8. 保存密码到安全位置 echo "8. Saving passwords to secure location..." mkdir -p /root/.grub_secrets chmod 700 /root/.grub_secrets cat > /root/.grub_secrets/passwords.txt << PWDEOF GRUB2 Passwords - Generated on $(date) ======================================== Root user password: $ROOT_PASSWORD Admin user password: $ADMIN_PASSWORD ======================================== IMPORTANT: Store these passwords securely! PWDEOF chmod 600 /root/.grub_secrets/passwords.txt # 9. 发送密码到管理员邮箱 echo "9. Sending passwords to administrator..." cat /root/.grub_secrets/passwords.txt | mail -s "GRUB2 Passwords for $(hostname)" admin@fgedu.net.cn echo "" echo "=== Configuration Complete ===" echo "Passwords have been saved to /root/.grub_secrets/passwords.txt" echo "Please store these passwords securely!" echo "" echo "IMPORTANT: After verifying the configuration works correctly," echo "delete the password file: rm /root/.grub_secrets/passwords.txt" EOF # 添加执行权限 # chmod +x /fgedu/shell/secure_grub.sh # 执行配置脚本 # /fgedu/shell/secure_grub.sh
# 创建GRUB2安全检查脚本
# cat > /fgedu/shell/check_grub_security.sh << 'EOF' #!/bin/bash # GRUB2安全检查脚本 # from:www.itpux.com.qq113257174.wx:itpux-com echo "=== GRUB2 Security Check ===" echo "Date: $(date)" echo "" SECURITY_SCORE=0 MAX_SCORE=10 # 检查1:超级用户配置 echo "Check 1: Superuser configuration" if grep -q "set superusers" /boot/grub2/grub.cfg; then echo " PASS: Superusers configured" SECURITY_SCORE=$((SECURITY_SCORE + 1)) else echo " FAIL: No superusers configured" fi # 检查2:密码配置 echo "Check 2: Password configuration" if grep -q "password_pbkdf2" /boot/grub2/grub.cfg; then echo " PASS: Passwords configured" SECURITY_SCORE=$((SECURITY_SCORE + 1)) else echo " FAIL: No passwords configured" fi # 检查3:配置文件权限 echo "Check 3: Configuration file permissions" if [ $(stat -c %a /etc/grub.d/00_users 2>/dev/null) = “600” ]; then
echo ” PASS: File permissions are secure”
SECURITY_SCORE=$((SECURITY_SCORE + 1))
else
echo ” FAIL: File permissions are not secure”
fi

# 检查4:配置文件语法
echo “Check 4: Configuration file syntax”
if grub2-fstest /boot/grub2/grub.cfg; then
echo ” PASS: Configuration file is valid”
SECURITY_SCORE=$((SECURITY_SCORE + 1))
else
echo ” FAIL: Configuration file is invalid”
fi

# 检查5:启动超时设置
echo “Check 5: Boot timeout setting”
TIMEOUT=$(grep “^set timeout” /boot/grub2/grub.cfg | cut -d’ ‘ -f2)
if [ “$TIMEOUT” -le 10 ] && [ “$TIMEOUT” -ge 3 ]; then
echo ” PASS: Boot timeout is appropriate ($TIMEOUT seconds)”
SECURITY_SCORE=$((SECURITY_SCORE + 1))
else
echo ” WARN: Boot timeout may need adjustment ($TIMEOUT seconds)”
fi

# 检查6:内核参数配置
echo “Check 6: Kernel parameters”
if grep -q “transparent_hugepage=never” /boot/grub2/grub.cfg; then
echo ” PASS: Kernel parameters are optimized”
SECURITY_SCORE=$((SECURITY_SCORE + 1))
else
echo ” INFO: Consider adding kernel parameters”
fi

# 检查7:菜单项保护
echo “Check 7: Menu entry protection”
PROTECTED_ENTRIES=$(grep “menuentry.*–users” /boot/grub2/grub.cfg | wc -l)
if [ “$PROTECTED_ENTRIES” -gt 0 ]; then
echo ” PASS: $PROTECTED_ENTRIES menu entries are protected”
SECURITY_SCORE=$((SECURITY_SCORE + 1))
else
echo ” INFO: Consider protecting sensitive menu entries”
fi

# 检查8:配置文件备份
echo “Check 8: Configuration file backup”
if [ -f /boot/grub2/grub.cfg.backup.* ]; then
echo ” PASS: Configuration backup exists”
SECURITY_SCORE=$((SECURITY_SCORE + 1))
else
echo ” WARN: No configuration backup found”
fi

# 检查9:审计配置
echo “Check 9: Audit configuration”
if auditctl -l | grep -q “grub_config”; then
echo ” PASS: Audit rules are configured”
SECURITY_SCORE=$((SECURITY_SCORE + 1))
else
echo ” INFO: Consider configuring audit rules”
fi

# 检查10:密码强度
echo “Check 10: Password strength”
# 这里可以添加密码强度检查逻辑
echo ” INFO: Manual password strength review recommended”
SECURITY_SCORE=$((SECURITY_SCORE + 1))

echo “”
echo “=== Security Score: $SECURITY_SCORE/$MAX_SCORE ===”

if [ $SECURITY_SCORE -ge 8 ]; then
echo “Overall: EXCELLENT”
exit 0
elif [ $SECURITY_SCORE -ge 6 ]; then
echo “Overall: GOOD”
exit 0
elif [ $SECURITY_SCORE -ge 4 ]; then
echo “Overall: FAIR”
exit 1
else
echo “Overall: POOR”
exit 2
fi
EOF

# 添加执行权限
# chmod +x /fgedu/shell/check_grub_security.sh

# 执行安全检查
# /fgedu/shell/check_grub_security.sh

风哥提示:在生产环境中,建议将GRUB2安全配置纳入系统初始化流程,确保所有新部署的服务器都符合安全标准。定期进行安全审计,及时发现和修复安全漏洞。

本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html

相关推荐

联系我们

在线咨询:点击这里给我发消息

微信号:itpux-com

工作日:9:30-18:30,节假日休息