1.4.1 Ensure bootloader password is set

Information

Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters.

Rationale:

Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time).

Impact:

If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing 'e' or access the GRUB 2 command line by pressing 'c'

If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem

Solution

Create an encrypted password with grub2-setpassword:

# grub2-setpassword

Enter password: <password>
Confirm password: <password>




Additional Information:

This recommendation is designed around the grub2 bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.

grub-setpassword outputs the user.cfg file which contains the hashed GRUB bootloader password. This utility only supports configurations where there is a single root user.

NIST SP 800-53 Rev. 5:

AC-3

MP-2

See Also

https://workbench.cisecurity.org/files/4198

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 29220dfaf460af14f750f31349596dbb1e8eaed8b5bf14a16d14b1c5d490e398