1.4.2 Ensure bootloader password is set

Information

Setting the boot loader password will require that anyone rebooting the system must enter
a password before being able to set command line boot parameters

Rationale:

Requiring a boot password upon execution of the boot loader will prevent an unauthorized
user from entering boot parameters or changing the boot partition. This prevents users
from weakening security (e.g. turning off SELinux at boot time).

Solution

For grub based systems create an encrypted password with grub-md5-crypt:

# grub-crypt
Password: <password>
Retype Password: <password>
<encrypted-password>

Copy and paste the <encrypted-password> into the global section of /boot/grub/menu.lst:

password <encrypted-password>

For grub2 based systems
Create an encrypted password with grub2-setpassword :

# grub2-setpassword
Enter password: <password>
Confirm password: <password>

OR
create an encrypted password with grub-mkpasswd-pbkdf2:

# grub-mkpasswd-pbkdf2
Enter password: <password>
Reenter password: <password>
Your PBKDF2 is <encrypted-password>

Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file:

cat <<EOF
set superusers="<username>"
password_pbkdf2 <username> <encrypted-password>
EOF

Run the following command to update the grub2 configuration:

# grub2-mkconfig -o /boot/grub2/grub.cfg

OR

# update-grub




Impact:

If password protection is enabled, only the designated superuser can edit a Grub 2 menu
item by pressing "e" or access the GRUB 2 command line by pressing "c"

If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has
no option to back out of the password prompt to select another menu entry. Holding the
SHIFT key will not display the menu in this case. The user must enter the correct username
and password. If unable, the configuration files will have to be edited via the LiveCD or
other means to fix the problem

You can add --unrestricted to the menu entries to allow the system to boot without
entering a password. Password will still be required to edit menu items.

Notes:

This recommendation is designed around the grub bootloader, if LILO or another
bootloader is in use in your environment enact equivalent settings.

Replace /boot/grub2/grub.cfg or /boot/grub/grub.cfg with the appropriate grub
configuration file for your environment

The superuser/user information and password do not have to be contained in the
/etc/grub.d/00_header file. The information can be placed in any /etc/grub.d file as long as
that file is incorporated into grub.cfg. The user may prefer to enter this data into a custom
file, such as /etc/grub.d/40_custom so it is not overwritten should the Grub package be
updated. If placing the information in a custom file, do not include the "cat << EOF" and
"EOF" lines as the content is automatically added from these files.

See Also

https://workbench.cisecurity.org/files/2420