Set Boot Loader Password in grub2
An XCCDF Rule
Description
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
# grub2-mkpasswd-pbkdf2When prompted, enter the password that was selected.
Using the hash from the output, modify the
/etc/grub.d/40_custom
file with the following content:
set superusers="boot" password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongStringNOTE: the bootloader superuser account and password MUST differ from the root account and password. Once the superuser password has been added, update the
grub.cfg file by running:
update-grub
warning alert: Warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file.Rationale
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
- ID
- xccdf_org.ssgproject.content_rule_grub2_password
- Severity
- High
- References
- Updated