1.4.2 Ensure bootloader password is set - password_pbkdf2

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters
Rationale:
Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time).

Solution

Create an encrypted password with grub-mkpasswd-pbkdf2:

# grub-mkpasswd-pbkdf2
Enter password: <password>
Reenter password: <password>
Your PBKDF2 is <encrypted-password>

Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file:

cat <<EOF
set superusers="<username>"
password_pbkdf2 <username> <encrypted-password>
EOF

Run the following command to update the grub2 configuration:

# update-grub

Notes:
This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.

See Also

https://workbench.cisecurity.org/files/2242

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-7, CSCv7|5.1

Plugin: Unix

Control ID: a6a09712eef95b7a9c079cea3e3b551f671938bbca06c59aa17aabcfe73de425