SV-221701r603260_rule
V-221701
SRG-OS-000080-GPOS-00048
OL07-00-010490
CAT I
10
Configure the system to encrypt the boot password for root.
Generate an encrypted grub2 password for root with the following command:
Note: The hash generated is an example.
# grub2-mkpasswd-pbkdf2
Enter Password:
Reenter Password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45
Edit "/etc/grub.d/40_custom" and add the following lines below the comments:
# vi /etc/grub.d/40_custom
set superusers="root"
password_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}
Generate a new "grub.conf" file with the new password with the following commands:
# grub2-mkconfig --output=/tmp/grub2.cfg
# mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg
For systems that use BIOS, this is Not Applicable.
For systems that are running Oracle Linux 7.2 or newer, this is Not Applicable.
Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:
# grep -i password /boot/efi/EFI/redhat/grub.cfg
password_pbkdf2 [superusers-account] [password-hash]
If the root password entry does not begin with "password_pbkdf2", this is a finding.
If the "superusers-account" is not set to "root", this is a finding.
V-221701
False
OL07-00-010490
For systems that use BIOS, this is Not Applicable.
For systems that are running Oracle Linux 7.2 or newer, this is Not Applicable.
Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:
# grep -i password /boot/efi/EFI/redhat/grub.cfg
password_pbkdf2 [superusers-account] [password-hash]
If the root password entry does not begin with "password_pbkdf2", this is a finding.
If the "superusers-account" is not set to "root", this is a finding.
M
4089