3.3 Set Boot Loader Password - password

Information

Setting the boot loader password will require that anyone rebooting the system must enter
a password before being able to set command line boot parameters

*Rationale*

Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users
from weakening security (e.g. turning off SELinux at boot time).

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Create an encrypted password with grub-md5-crypt-# grub-mkpasswd-pbkdf2
Enter password- <password>
Reenter password- <password>
Your PBKDF2 is <encrypted-password>Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file-cat <<EOF
set superusers='<user-list>'
password_pbkdf2 <user> <encrypted-password>
EOFRun the following to update the grub configuration-# update-grub

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-7(9)

Plugin: Unix

Control ID: ba4b6e34afdd60ad6b78ee31d0c030bb04edfc9a6e0bfacc68f3eb0e3a52131d