Hi, i came across a section on the CIS guide about red hat.

8.7 Set GRUB Password
Description:
An unprotected GRUB boot loader prompt allows an attacker with physical access to subvert the normal boot process very easily. The action below will allow the system to boot normally, only requiring a password when the anyone attempts to modify the boot process by passing commands to GRUB. Make sure to replace <password> in the actions below with an md5-hashed password (check the man page for /sbin/grub-md5-crypt).
Remediation:
1. Add this line to /etc/grub.conf before the first uncommented line:
password <password>

The guide actually recommend adding the "password <password>" to the /etc/grub.conf. However, i do not understand on how do i get the md5 hashed password to replace the <password>?

sudo grub

at the grub prompt:

grub> md5crypt

Password: ******
Encrypted: $1$jxcdN0$hVHViq1aiPf8FziuGJGZp0
grub> quit

there's your hash.

Dear friend,

please take the following action to set the grub password:--

[root@server ~]# grub-md5-crypt >> /boot/grub/grub.conf

type the password ## these two entries will be not visible
retype the password

[root@server ~]# vi /boot/grub/grub.conf

hiddenmenu

password --md5 < encryptedpasswd > ## add this line here

title Red Hat Enterprise Linux Server (2.6.18-8.el5)

:wq


Thanks & Regards

Narendra Gupta
narendra.server@gmail.com

# If you save the file at this moment without any further edits you would have locked down interactive editing in GRUB. The administrator or in this case you would have to press ‘p’ key and enter the correct password to access these advanced options.
# If in addition you want to lock down specific menu entries so that anyone without the knowledge of the correct password cannot boot into that operating system you should add the word lock all by itself on a separate line just after the title specification for each entry in the menu.