STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

V-269137

CAT II (Medium)

AlmaLinux OS 9 must require a boot loader password.

Rule ID

SV-269137r1137691_rule

STIG

Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

Version

V1R6

CCIs

CCI-000213

Discussion

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Check Content

Verify the boot loader superuser password is required using the following command:

$ grep password /etc/grub2.cfg 

password_pbkdf2  superman   ${GRUB2_PASSWORD}  

Verify the boot loader superuser password has been set and the password is encrypted using the following command:

$ cat /boot/grub2/user.cfg

GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.5766DCE424DCD4F0A2F5AC774C044BE8B904BC
F0022B671CD5E522A3568C599F327EBA3F3F5AB30D69A9B9A4FD172B12435BC10BE0A9B40669FB
A5C5ECBE8D1B.EAC815AE6F8A3F79F800D2EC7F454933BC3D63282532AAB1C487CA25331DD359F
5BF61166EDB53FB33977E982A9F20327D988DA15CBF7E4238357E65C5AEAF3C

If a "GRUB2_PASSWORD" is not set, this is a finding.

Fix Text

Configure AlmaLinux OS 9 to require a grub bootloader password for the grub superuser account.

Generate an encrypted grub2 password for the grub superuser account with the following command:

$ grub2-setpassword
Enter password:
Confirm password: