Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Resources
Documents
Publishers
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Guide to the Secure Configuration of Kylin Server 10
System Settings
GRUB2 bootloader configuration
GRUB2 bootloader configuration
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
GRUB2 bootloader configuration
2 Rules
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly on different partitions or media. The default Kylin Server 10 boot loader for x86 systems is called GRUB2. Options it can pass to the kernel include
single-user mode
, which provides root access without any authentication, and the ability to disable SELinux. To prevent local users from modifying the boot parameters and endangering security, protect the boot loader configuration with a password and ensure its configuration file's permissions are set properly.
Non-UEFI GRUB2 bootloader configuration
1 Rule
Non-UEFI GRUB2 bootloader configuration
Set Boot Loader Password in grub2
High Severity
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password by running the following command:
# grub2-setpassword
When prompted, enter the password that was selected.
UEFI GRUB2 bootloader configuration
1 Rule
UEFI GRUB2 bootloader configuration
Set the UEFI Boot Loader Password
High Severity
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password by running the following command:
# grub2-setpassword
When prompted, enter the password that was selected.