1.4.1 Ensure bootloader password is set
Audit#
Run the following commands and verify output matches:
# grep "^set superusers" /boot/grub/grub.cfg
set superusers="<username>"
# grep "^password" /boot/grub/grub.cfg
password_pbkdf2 <username> <encrypted-password>
Remediation#
Create an encrypted password with grub-mkpasswd-pbkdf2:
# grub-mkpasswd-pbkdf2
Enter password: <password>
Reenter password: <password>
PBKDF2 hash of your password is <encrypted-password>
Add the following into a custom /etc/grub.d configuration file:
The superuser/user information and password should not be contained in the /etc/grub.d/00_header file as this file could be overwritten in a package update.
If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS=
Example:
Run the following command to update the grub2 configuration:
Default Value:
This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.
Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.