Skip to content

1.4.1 Ensure bootloader password is set

Audit#

Run the following commands and verify output matches: 

# grep "^set superusers" /boot/grub/grub.cfg
set superusers="<username>"
# grep "^password" /boot/grub/grub.cfg
password_pbkdf2 <username> <encrypted-password>

Remediation#

Create an encrypted password with grub-mkpasswd-pbkdf2: 

# grub-mkpasswd-pbkdf2
Enter password: <password>
Reenter password: <password>
PBKDF2 hash of your password is <encrypted-password>

Add the following into a custom /etc/grub.d configuration file: 

cat <<EOF
set superusers="<username>"
password_pbkdf2 <username> <encrypted-password>
EOF

The superuser/user information and password should not be contained in the /etc/grub.d/00_header file as this file could be overwritten in a package update.

If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS=

Example: 

CLASS="--class gnu-linux --class gnu --class os --unrestricted"

Run the following command to update the grub2 configuration: 

# update-grub

Default Value:

This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.

Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.