So then the description should be updated from
NOTE: It is recommended not to use common administrator account names like
root, admin, or administrator for the grub2 superuser account.
to something like
Do not use root, admin, or administrator for the grub2 superuser account. The
check will
"superusers should be root, admin or administrator"
Are you sure it shouldn't be "superusers should NOT be root, admin or
administrator" ?
I changed mine from "root" to "grub.root",
made sure the full hash was in /etc/grub.d/01_users,
re-ran grub2-mkconfig
and then the oscap scan passed.
Something is very wrong here
[root@jump-linux7 ~]# cat /etc/grub.d/01_users # ORIGINAL
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
source \${prefix}/user.cfg
if [ -n "\${GRUB2_PASSWORD}" ]; then
set superusers="root"
export superusers
password_pbkdf2 root
Running "grub2-mkconfig -o /boot/grub2/grub.cfg" without making any other
changes made no difference
Guess I need to tinker with the /etc/grub.d/01_users configuration file.
Dan White | d_e_wh...@icloud.com
“Sometimes I think the surest sign
Scanning some RHEL 7 VM's with the latest/greatest, I am getting a finding
against the Boot Loader Password.
I set it according to this RHEL 7 System Administrator's Guide page and this
Red Hat Solutions page, but the test fails.
Details from the report: