====== 1.4.2 Ensure bootloader password is set (Scored) ======
=====Profile Applicability=====  
<code>
Level 1 - Server 
Level 1 - Workstation
</code>
=====Description=====
Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters.
=====Rationale=====
Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time).
=====Audit===== 
Run the following commands and verify output matches: 
<Code:bash>
# grep "^set superusers" /boot/grub2/grub.cfg 
set superusers="<username>" 
# grep "^password" /boot/grub2/grub.cfg 
password_pbkdf2 <username> <encrypted-password>
</Code>
=====Remediation===== 
Create an encrypted password with ''grub-mkpasswd-pbkdf2'':
<Code:bash>
# grub2-mkpasswd-pbkdf2 
Enter password: <password> 
Reenter password: <password> 
Your PBKDF2 is <encrypted-password>
</Code>
Add the following into ''/etc/grub.d/01_users'' or a custom ''/etc/grub.d'' configuration file: 
<Code:bash>
cat <<EOF 
set superusers="<username>" 
password_pbkdf2 <username> <encrypted-password> EOF
</Code>
Run the following command to update the ''grub2'' configuration: 
<code:bash>
# grub2-mkconfig > /boot/grub2/grub.cfg
</code>
=====Notes===== 
This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.