Set the UEFI Boot Loader Admin Username to a Non-Default Value
An XCCDF Rule
Description
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To maximize the protection, select a password-protected superuser account with unique name, and modify the
/etc/grub.d/01_users configuration file to reflect the account name change.
It is highly suggested not to use common administrator account names like root,
admin, or administrator for the grub2 superuser account.
Change the superuser to a different username (The default is 'root').
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
Once the superuser account has been added, update the
grub.cfg file by running:
grubby --update-kernel=ALL --env=/boot/grub2/grubenv
warning alert: Warning
To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file.Rationale
Having a non-default grub superuser username makes password-guessing attacks less effective.
- ID
- xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username
- Severity
- Medium
- References
- Updated