Description:
Setting the boot loader password will require that anyone rebooting the system must
enter a password before being able to set command line boot parameters
Rationale:
Requiring a boot password upon execution of the boot loader will prevent an
unauthorized user from entering boot parameters or changing the boot partition. This
prevents users from weakening security (e.g. turning off AppArmor at boot time).
Impact:
If password protection is enabled, only the designated superuser can edit a Grub 2
menu item by pressing "e" or access the GRUB 2 command line by pressing "c"
If GRUB 2 is set up to boot automatically to a password-protected menu entry the user
has no option to back out of the password prompt to select another menu entry. Holding
the SHIFT key will not display the menu in this case. The user must enter the correct
username and password. If unable, the configuration files will have to be edited via the
LiveCD or other means to fix the problem
You can add --unrestricted to the menu entries to allow the system to boot without
entering a password. Password will still be required to edit menu items.
More Information: https://help.ubuntu.com/community/Grub2/Passwords
Audit:
Run the following commands and verify output matches:
Default Value:
This recommendation is designed around the grub bootloader, if LILO or another
bootloader is in use in your environment enact equivalent settings.
Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your
environment.
Profile Applicability: Level 1 - Server Level 1 - Workstation
Description: Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters
Rationale: Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off AppArmor at boot time).
Impact: If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing "e" or access the GRUB 2 command line by pressing "c" If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem You can add --unrestricted to the menu entries to allow the system to boot without entering a password. Password will still be required to edit menu items. More Information: https://help.ubuntu.com/community/Grub2/Passwords
Audit: Run the following commands and verify output matches:
Default Value: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.