diff options
| author | doc <doc@filenotfound.org> | 2025-07-13 17:27:22 +0000 |
|---|---|---|
| committer | doc <doc@filenotfound.org> | 2025-07-13 17:27:22 +0000 |
| commit | 0089790128cc1956aa3ae13a357168a50d6fbde0 (patch) | |
| tree | 7858327d303a7560f2d5cf579e12dff06b471911 | |
| -rwxr-xr-x | grub_lockdown.sh | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/grub_lockdown.sh b/grub_lockdown.sh new file mode 100755 index 0000000..3a2faf3 --- /dev/null +++ b/grub_lockdown.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +echo "[*] Checking initramfs contents for potential exposure..." + +INITRD=$(ls /boot/initrd.img-* | sort -V | tail -n1) +echo "[*] Found initramfs: $INITRD" + +# Try gzip first, fallback to cpio-only +echo "[*] Extracting initramfs for analysis..." +TMPDIR=$(mktemp -d) +cd "$TMPDIR" + +if file "$INITRD" | grep -q 'gzip'; then + gzip -cd "$INITRD" | cpio -idmu > /dev/null 2>&1 +else + echo "[!] Warning: fallback to uncompressed initrd..." + cat "$INITRD" | cpio -idmu > /dev/null 2>&1 +fi + +# Check for risky binaries +echo "[*] Analyzing for sensitive binaries..." +FOUND=false +for bin in sh cryptsetup lvm busybox mount umount blkid; do + if find . -name "$bin" | grep -q .; then + echo "[!] ⚠ Found sensitive binary: $bin" + FOUND=true + fi +done + +cd / +rm -rf "$TMPDIR" + +if ! $FOUND; then + echo "[*] No critical binaries found. GRUB password not required." + exit 0 +fi + +# Check for existing GRUB password +if grep -q "GRUB2_PASSWORD" /etc/grub.d/40_custom; then + echo "[*] GRUB password already set. Skipping..." + exit 0 +fi + +# Prompt user for password +echo "[*] System is vulnerable. Setting GRUB password..." +read -s -p "Enter GRUB password: " PASSWORD +echo +read -s -p "Confirm GRUB password: " PASSWORD2 +echo +if [ "$PASSWORD" != "$PASSWORD2" ]; then + echo "[!] Passwords do not match. Aborting." + exit 1 +fi + +# Hash password +HASH=$(echo "$PASSWORD" | grub-mkpasswd-pbkdf2 | awk '/grub.pbkdf2/{print $NF}') +unset PASSWORD PASSWORD2 + +if [ -z "$HASH" ]; then + echo "[!] Failed to generate password hash." + exit 1 +fi + +# Insert into /etc/grub.d/40_custom +echo "[*] Writing password to /etc/grub.d/40_custom..." +cat <<EOF >> /etc/grub.d/40_custom + +set superusers="root" +password_pbkdf2 root $HASH +EOF + +# Update GRUB +echo "[*] Updating GRUB config..." +update-grub + +echo "[+] GRUB password is now active. Test by rebooting and pressing 'e' on boot menu." |