CCE-90923-4Platform: rhel7,centos7 | Date: (C)2017-06-29 (M)2022-10-10 |
Set Boot Loader Password
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To do so, select a superuser account and password and add them into the
appropriate grub2 configuration file(s) under '/etc/grub.d'.
Since plaintext passwords are a security risk, generate a hash for the pasword
by running the following command:
'$ grub2-mkpasswd-pbkdf2'
When prompted, enter the password that was selected and insert the returned
password hash into the appropriate grub2 configuration file(s) under
'/etc/grub.d' immediately after the superuser account.
(Use the output from 'grub2-mkpasswd-pbkdf2' as the value of
Parameter:
Technical Mechanism:
Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. For more information on how to configure
the grub2 superuser account and password, please refer to
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html .
Fix:
No Remediation Info
CCSS Severity: | CCSS Metrics: |
CCSS Score : | Attack Vector: |
Exploit Score: | Attack Complexity: |
Impact Score: | Privileges Required: |
Severity: | User Interaction: |
Vector: | Scope: |
| Confidentiality: |
| Integrity: |
| Availability: |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:30579 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:31302 |