STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 6 Security Technical Implementation Guide Version: 1 Release: 24 Benchmark Date: 25 Oct 2019: The system boot loader must require authentication.

DISA Rule

SV-50386r4_rule

Vulnerability Number

V-38585

Group Title

SRG-OS-000080

Rule Version

RHEL-06-000068

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command:

# grub-crypt --sha-512

When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf” immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]):

password --encrypted [password-hash]

Check Contents

To verify the boot loader password has been set and encrypted, run the following command:

# grep password /boot/grub/grub.conf

The output should show the following:

password --encrypted $6$[rest-of-the-password-hash]

If it does not, this is a finding.

If the system uses UEFI verify the boot loader password has been set and encrypted:

# grep password /boot/efi/EFI/redhat/grub.conf

Vulnerability Number

V-38585

Documentable

False

Rule Version

RHEL-06-000068

Severity Override Guidance

To verify the boot loader password has been set and encrypted, run the following command:

# grep password /boot/grub/grub.conf

The output should show the following:

password --encrypted $6$[rest-of-the-password-hash]

If it does not, this is a finding.

If the system uses UEFI verify the boot loader password has been set and encrypted:

# grep password /boot/efi/EFI/redhat/grub.conf

Check Content Reference

M

Target Key

2367

Comments