Set Boot Loader Password The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account and password and add them into the appropriate grub2 configuration file(s) under '/etc/grub.d'. Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: '$ grub2-mkpasswd-pbkdf2' When prompted, enter the password that was selected and insert the returned password hash into the appropriate grub2 configuration file(s) under '/etc/grub.d' immediately after the superuser account. (Use the output from 'grub2-mkpasswd-pbkdf2' as the value of

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html . Fix: No Remediation Info