{"description": "The grub2 boot loader should have a superuser account and password\nprotection enabled to protect boot-time settings.\n<br /><br />\nSince plaintext passwords are a security risk, generate a hash for the password\nby running the following command: <pre># grub2-mkpasswd-pbkdf2</pre>\nWhen prompted, enter the password that was selected.\n<br /><br />\nUsing the hash from the output, modify the <tt>/etc/grub.d/40_custom</tt>\nfile with the following content:\n<pre>set superusers=\"root\"\npassword_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString\n</pre>\nOnce the superuser password has been added, update the\n<tt>grub.cfg</tt> file by running:\n<pre>grub2-mkconfig -o /boot/grub/grub.cfg</pre>", "rationale": "Password protection on the boot loader configuration ensures\nusers with physical access cannot trivially alter\nimportant bootloader settings. These include which kernel to use,\nand whether to enter single-user mode.", "severity": "high", "references": {"nist": ["AC-3", "AC-3.1", "AC-3"], "srg": ["SRG-OS-000080-GPOS-00048"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "it does not", "ocil": "To verify the boot loader superuser password has been set, run the following\ncommand:\n<pre># grep -i password /boot/grub/grub.cfg</pre>\nThe output should show the following:\n<pre>password_pbkdf2 <b>superusers-account</b> <b>${GRUB2_PASSWORD}</b></pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation\nmust be automated as a component of machine provisioning, or followed manually as outlined above.\n\nAlso, do NOT manually add the superuser account and password to the\n<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set the UEFI Boot Loader Password - systems prior to version 7.2", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml", "template": null}