1.4.2 Ensure bootloader password is set


Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters


Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time).


Create an encrypted password with grub-md5-crypt:

# grub-md5-crypt

Password: <password>
Retype Password: <password>


Copy and paste the <encrypted-password> into the global section of /boot/grub/grub.conf OR on systems using UEFI, into the global section of /boot/efi/EFI/*/grub.conf:

password --md5 <encrypted-password>

Additional Information:

This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.

See Also


Item Details


References: 800-53|CM-6, CSCv6|5.1, CSCv7|5.1

Plugin: Unix

Control ID: 1af7f8ae31542df6a85c4cc44dec137c86de7e2f550d7d6faaf31fe599d19d81