Title

The system boot loader must require authentication. (Cat II impact)

Discussion

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Check Content

To verify the boot loader password has been set and encrypted, run the following command: # grep password /boot/grub/grub.conf The output should show the following: password --encrypted $6$[rest-of-the-password-hash] If it does not, this is a finding. If the system uses UEFI verify the boot loader password has been set and encrypted: # grep password /boot/efi/EFI/redhat/grub.conf

Fix Text

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf” immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]

Additional Identifiers

Rule ID: SV-217904r603264_rule

Vulnerability ID: V-217904

Group Title: SRG-OS-000080

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.