The system boot loader must require authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-38585	RHEL-06-000068	SV-50386r2_rule		Medium

Description
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

STIG	Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide	2015-05-26

Details

Check Text ( C-46143r2_chk )
To verify the boot loader password has been set and encrypted, run the following command: # grep password /etc/grub.conf The output should show the following: password --encrypted $6$[rest-of-the-password-hash] If it does not, this is a finding.

Fix Text (F-43533r1_fix)
The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/etc/grub.conf" immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]

Fix Text (F-43533r1_fix)

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command:

# grub-crypt --sha-512

When prompted to enter a password, insert the following line into "/etc/grub.conf" immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]):

password --encrypted [password-hash]