AlmaLinux OS 9 must require a boot loader password.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269137	SRG-OS-000080-GPOS-00048	ALMA-09-006290	SV-269137r1050019_rule	2025-02-20	1

Description
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

ℹ️ Check
Verify the boot loader superuser password is required using the following command: $ grep password /etc/grub2.cfg password_pbkdf2 superman ${GRUB2_PASSWORD} Verify the boot loader superuser password has been set and the password is encrypted using the following command: $ cat /boot/grub2/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.5766DCE424DCD4F0A2F5AC774C044BE8B904BC F0022B671CD5E522A3568C599F327EBA3F3F5AB30D69A9B9A4FD172B12435BC10BE0A9B40669FB A5C5ECBE8D1B.EAC815AE6F8A3F79F800D2EC7F454933BC3D63282532AAB1C487CA25331DD359F 5BF61166EDB53FB33977E982A9F20327D988DA15CBF7E4238357E65C5AEAF3C If a "GRUB2_PASSWORD" is not set, this is a finding.

ℹ️ Check

Verify the boot loader superuser password is required using the following command: $ grep password /etc/grub2.cfg password_pbkdf2 superman ${GRUB2_PASSWORD} Verify the boot loader superuser password has been set and the password is encrypted using the following command: $ cat /boot/grub2/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.5766DCE424DCD4F0A2F5AC774C044BE8B904BC F0022B671CD5E522A3568C599F327EBA3F3F5AB30D69A9B9A4FD172B12435BC10BE0A9B40669FB A5C5ECBE8D1B.EAC815AE6F8A3F79F800D2EC7F454933BC3D63282532AAB1C487CA25331DD359F 5BF61166EDB53FB33977E982A9F20327D988DA15CBF7E4238357E65C5AEAF3C If a "GRUB2_PASSWORD" is not set, this is a finding.

✔️ Fix
Configure AlmaLinux OS 9 to require a grub bootloader password for the grub superuser account. Generate an encrypted grub2 password for the grub superuser account with the following command: $ grub2-setpassword Enter password: Confirm password: