← Rules Catalog
highsystemverified

Set GRUB bootloader password

grub-password · RHEL ≥ 8 · 1 impl

Description

The GRUB bootloader should be protected with a password to prevent unauthorized users from modifying boot parameters or accessing single-user mode.

Rationale

Without a bootloader password, an attacker with physical access can boot into single-user mode or modify kernel parameters to gain unauthorized root access.

Check → Remediate

Checkcommand
grep -E '^GRUB2_PASSWORD=' /boot/grub2/user.cfg 2>/dev/null || grep -E '^password' /boot/grub2/grub.cfg 2>/dev/null
expected_exit:
0
Remediatemanual
note:
Set GRUB bootloader password using grub2-setpassword command: grub2-setpassword This will prompt for a password and create /boot/grub2/user.cfg

Framework references

CIS

rhel8 1.4.1rhel9 1.4.1rhel10 1.4.1

STIG

V-281166 / RHEL-10-600000V-257787V-230235 / RHEL-08-010150

NIST 800-53

AC-3

Live verification

rhel10:checkrhel8:checkrhel9:check
#grub#bootloader#physical-security