|Platform: rhel7,centos7||Date: (C)2017-06-29 (M)2020-02-19|
Set Boot Loader Password
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To do so, select a superuser account and password and add them into the
appropriate grub2 configuration file(s) under '/etc/grub.d'.
Since plaintext passwords are a security risk, generate a hash for the pasword
by running the following command:
When prompted, enter the password that was selected and insert the returned
password hash into the appropriate grub2 configuration file(s) under
'/etc/grub.d' immediately after the superuser account.
(Use the output from 'grub2-mkpasswd-pbkdf2' as the value of
Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. For more information on how to configure
the grub2 superuser account and password, please refer to
No Remediation Info
|SCAP Repo OVAL Definition||oval:org.secpod.oval:def:30579|
|SCAP Repo OVAL Definition||oval:org.secpod.oval:def:31302|