Set the UEFI Boot Loader Password
An XCCDF Rule
Description
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
# grub2-setpasswordWhen prompted, enter the password that was selected.
warning alert: Warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg
file as the grub2-mkconfig command overwrites this file.Rationale
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
- ID
- xccdf_org.ssgproject.content_rule_grub2_uefi_password
- Severity
- High
- References
- Updated