Lynis Security Controls

BOOT-5122 - Set boot loader password


By default anyone with physical access to the machine can load alternative software or another operating system during the boot phase. Configure a password in grub to prevent this possibility.



How to solve

The boot loader is started at the beginning of the boot cycle, and enables the user to select what operating system to start. Normally one entry is selected as default, with a timer of a few seconds. When this timer expires, this default entry is selected, trigger the start of the related operating system.

Often the boot loader contains the primary operating system and several fallback options. The same operating system with a previous Linux kernel version is a common option to see in such configuration. Another option is a rescue image, to perform emergency maintenance when the system does not longer boot.

Although a rescue option or fallback version are great during emergency, they can become a weakness. Evildoers with physical access to the system could use this option to reset the root password. Especially for notebooks this is a risk, as it is common that people are in the physical presence of such device. When hosting systems in a shared data center, this could also be a situation in which it makes sense to set a password on the boot loader.

Additional resources

Perform daily health checks of your environment, learn in-depth system hardening, and protect your systems better.

Upgrade to Lynis Enterprise

Linux and Unix System Hardening

This information is provided as part of the Lynis community project. It is related to Lynis control BOOT-5122. All information should be considered as-is, without guarantees. Any advice or snippets should be tested before implementing in production environments.


Lynis is a technical security audit tool for Unix flavors like Linux, macOS, AIX, Solaris, and *BSD. It is open source software and free to use. The project has an active community, including open development via GitHub.

Lynis Enterprise

Need more advanced features, like vulnerability scanning, or reporting installed software packages? Lynis Enterprise will collect more data and present it with an easy to use web interface.

Gain additional benefits: automating security audits, reporting, and the implementation of related security measures.

Lynis Enterprise includes
  • Centralized management
  • Prioritized plans
  • Reporting
  • Dashboards
  • Integration (API)
  • Improvement snippets for tools like Ansible, Chef, Cfengine, Puppet, and SaltStack

Take the Tour