Vulnerability Discussion
Having a nondefault grub superuser username makes password-guessing attacks less effective.
Check
Verify the boot loader superuser account has been set with the following command:
$ sudo grep -A1 "superusers" /etc/grub2.cfg
set superusers=""
export superusers
The is the actual account name different from common names like root, admin, or administrator.
If superusers contains easily guessable usernames, this is a finding.
Fix
Configure RHEL 9 to have a unique username for the grub superuser account.
Edit the "/etc/grub.d/01_users" file and add or modify the following lines with a nondefault username for the superusers account:
set superusers=""
export superusers
Once the superuser account has been added, update the grub.cfg file by running:
$ sudo grubby --update-kernel=ALL