STIG ID: ALMA-09-006290 | SRG: SRG-OS-000080-GPOS-00048 | Severity: medium | CCI: | Vulnerability Id: V-269137
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Configure AlmaLinux OS 9 to require a grub bootloader password for the grub superuser account.
Generate an encrypted grub2 password for the grub superuser account with the following command:
$ grub2-setpassword
Enter password:
Confirm password:
Verify the boot loader superuser password is required using the following command:
$ grep password /etc/grub2.cfg
password_pbkdf2 superman ${GRUB2_PASSWORD}
Verify the boot loader superuser password has been set and the password is encrypted using the following command:
$ cat /boot/grub2/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.5766DCE424DCD4F0A2F5AC774C044BE8B904BC
F0022B671CD5E522A3568C599F327EBA3F3F5AB30D69A9B9A4FD172B12435BC10BE0A9B40669FB
A5C5ECBE8D1B.EAC815AE6F8A3F79F800D2EC7F454933BC3D63282532AAB1C487CA25331DD359F
5BF61166EDB53FB33977E982A9F20327D988DA15CBF7E4238357E65C5AEAF3C
If a "GRUB2_PASSWORD" is not set, this is a finding.