Hardening Grub

In accordance with CIS Distribution Independent Linux Benchmark v2.0.0, chapter: 1.4.2

Generate a password hash

# grub-mkpasswd-pbkdf2

Add user and password to grub

# vim /etc/grub.d/40_custom 
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.

set superusers="abraxas"
password_pbkdf2 abraxas grub.pbkdf2.sha512.10000.171D5F30959A0474C0C85E1912619FA0F059B1ADFDEBE2DF9311FEDF8F45953B159CCC0C4D5AF23A437D967AA492F37B950CEAAA2BAB4E595F1FC14DA.6FD77B05AB3A3055DA834F5AE54AAF9920A1227D1BBC64094E163D24FC25E5C9A8F9C850E90
# chmod +x /etc/grub.d/40_custom

Unrestricted boot

In case you only want password verification when user wants to edit the boot parameters.

On row 34 in /etc/grub.d/10_linux change the following line:

CLASS="--unrestricted --class gnu-linux --class gnu --class os"
# grub-mkconfig -o /boot/grub/grub.cfg
# update-grub