Changing the boot loader configuration

You must update the GRUB2 configuration to configure the non-root user for the STIG environment, and for the changes that were made by the hardening script to be effective. You must update the GRUB2 configuration on the QRadar Console, event processors, and flow processors.

Procedure

  1. Enter the following command to back up the GRUB 2 configuration files:

    tar -cvf /root/grub2backup.tar /etc/grub.d /etc/default/grub /boot/grub2

  2. Create a /boot/grub2/user.cfg file that uses the GRUB password utility by running the following command that prompts for the password:
    grub2-setpassword -o /boot/grub2/
  3. Edit /etc/grub.d/10_linux to replace --unrestricted with --users bootuser on the line beginning with CLASS=.
  4. Save the changes and exit.
  5. Edit /etc/grub.d/01_users and add or modify the existing lines to match the following lines. 
    set superusers="bootuser"
    export superusers
    password_pbkdf2 bootuser \${GRUB2_PASSWORD}
  6. Run the command grub2-mkconfig -o /boot/grub2/grub.cfg.
    If you are completing a software (non-appliance) installation, the procedure is now complete.
    Important: If you are completing an appliance installation (there is a /recovery partition), follow the instructions from step 7 through step 9 to ensure that the system will boot. If the /recovery partition is not automatically mounted, you must mount it manually.
  7. If the file /recovery/grub2/grub.cfg exists, copy the users file cp /boot/grub2/user.cfg /recovery/grub2/.
  8. Edit /recovery/grub2/grub.cfg and find the line menuentry "Normal System".
    1. Insert the content of file /boot/grub2/user.cfg on the line before the menuentry "Normal System" line. The result appears similar to the following example (all one line): 
      GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.00F025BA99D48B00BCCA5C45F9F3
0A29AAB2B1B2B6369B3783A948DB117E81CE0A6ADD035CF0C4E2F223455869944B142F41B265C
59E242E8661B2D0B0CC9D37.871FE29A0318BA50F40C103346EC5DFB5573F141D5D98ABE9B5B9
85804FF95B2392D5497247F820100212BFF4E3FCA0525FD28A0C60E4E961AE9A94DB0086B3F
    2. On the line after GRUB2_PASSWORD, insert the following lines: 
      set superusers="bootuser"
password_pbkdf2 root ${GRUB2_PASSWORD}
    3. At the end of each menuentry line, and before the { add --users bootuser as displayed below. 
      menuentry "Normal System" --users bootuser {

      and

      menuentry "Factory re-install [QRadar <version_number>]" --users bootuser {
  9. If EFI booting is enabled, copy the user.cfg to the EFI boot directory: cp /boot/grub2/user.cfg /boot/efi/EFI/redhat/, and then build EFI Boot config by running the following command. 
    grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  10. Save and exit and then restart the system.
    The bootup user is bootuser and the password is the one from the previous step, grub2-setpassword.

What to do next

Reboot the appliance and log in.