dccce1d5cc
This patch gets the docs adjusted to work with the new RHEL 7 STIG version 1 release. The new STIG release has changed all of the numbering, but it maintains a link to (most) of the old STIG IDs in the XML. Closes-bug: 1676865 Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604
1.0 KiB
---id: V-71961 status: opt-in tag: misc ---
Although the STIG requires that GRUB 2 asks for a password whenever a user attempts to enter single-user or maintenance mode, this change might be disruptive in an emergency situation. Therefore, this change is not applied by default.
Deployers that wish to opt in for this change should set two Ansible variables:
security_require_grub_authentication: yes
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC...The default password set in the security role is 'secrete', but
deployers should set a much more secure password for production
environments. Use the grub2-mkpasswd-pbkdf2 command to
create a password hash string and use it as the value for the Ansible
variable security_grub_password_hash.
Warning
This change must be tested in a non-production environment first. Requiring authentication in GRUB 2 without proper communication to users could cause extensive delays in emergency situations.