AlmaLinux OS 9 must require a boot loader password.

STIG ID: ALMA-09-006290  |  SRG: SRG-OS-000080-GPOS-00048 |  Severity: medium |  CCI: CCI-000213 |  Vulnerability Id: V-269137

Vulnerability Discussion

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Check

Verify the boot loader superuser password is required using the following command:

$ grep password /etc/grub2.cfg

password_pbkdf2 superman ${GRUB2_PASSWORD}

Verify the boot loader superuser password has been set and the password is encrypted using the following command:

$ cat /boot/grub2/user.cfg

GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.5766DCE424DCD4F0A2F5AC774C044BE8B904BC
F0022B671CD5E522A3568C599F327EBA3F3F5AB30D69A9B9A4FD172B12435BC10BE0A9B40669FB
A5C5ECBE8D1B.EAC815AE6F8A3F79F800D2EC7F454933BC3D63282532AAB1C487CA25331DD359F
5BF61166EDB53FB33977E982A9F20327D988DA15CBF7E4238357E65C5AEAF3C

If a "GRUB2_PASSWORD" is not set, this is a finding.

Fix

Configure AlmaLinux OS 9 to require a grub bootloader password for the grub superuser account.

Generate an encrypted grub2 password for the grub superuser account with the following command:

$ grub2-setpassword
Enter password:
Confirm password:
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.