highsystemverified ✓
Set GRUB bootloader password
grub-password · RHEL ≥ 8 · 1 impl
Description
The GRUB bootloader should be protected with a password to prevent unauthorized users from modifying boot parameters or accessing single-user mode.
Rationale
Without a bootloader password, an attacker with physical access can boot into single-user mode or modify kernel parameters to gain unauthorized root access.
Check → Remediate
Checkcommand
grep -E '^GRUB2_PASSWORD=' /boot/grub2/user.cfg 2>/dev/null || grep -E '^password' /boot/grub2/grub.cfg 2>/dev/null
- expected_exit:
- 0
Remediatemanual
- note:
- Set GRUB bootloader password using grub2-setpassword command: grub2-setpassword This will prompt for a password and create /boot/grub2/user.cfg
Framework references
CIS
rhel8 1.4.1rhel9 1.4.1rhel10 1.4.1
STIG
V-281166 / RHEL-10-600000V-257787V-230235 / RHEL-08-010150
NIST 800-53
AC-3
Live verification
rhel10:checkrhel8:checkrhel9:check
#grub#bootloader#physical-security