Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-38585 | RHEL-06-000068 | SV-50386r4_rule | Medium |
Description |
---|
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. |
STIG | Date |
---|---|
Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2017-05-19 |
Check Text ( C-46143r4_chk ) |
---|
To verify the boot loader password has been set and encrypted, run the following command: # grep password /boot/grub/grub.conf The output should show the following: password --encrypted $6$[rest-of-the-password-hash] If it does not, this is a finding. If the system uses UEFI verify the boot loader password has been set and encrypted: # grep password /boot/efi/EFI/redhat/grub.conf |
Fix Text (F-43533r3_fix) |
---|
The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf” immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash] |