RHEL-06-000068 - The system boot loader must require authentication - UEFI

Information

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Solution

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command:

# grub-crypt --sha-512

When prompted to enter a password, insert the following line into '/boot/grub/grub.conf' or '/boot/efi/EFI/redhat/grub.conf' immediately after the header comments. (Use the output from 'grub-crypt' as the value of [password-hash]):

password --encrypted [password-hash]

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_6_V2R2_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CAT|II, CCI|CCI-000213, Rule-ID|SV-217904r603264_rule, STIG-ID|RHEL-06-000068, STIG-Legacy|SV-50386, STIG-Legacy|V-38585, Vuln-ID|V-217904

Plugin: Unix

Control ID: 8475f84c4dd91c75fb11811355d7ca65245e0902538cd562ee5838430244cef6