diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index 3687af19..5332079b 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -165,22 +165,25 @@
 
 # NOTE(mhayden): Some systems, such as ARM, don't have grub at all. This task
 # should be skipped on those systems.
-- name: Check if GRUB defaults file exists
+- name: Check if GRUB2 custom file exists
   stat:
-    path: "{{ grub_defaults_file }}"
-  register: grub_defaults_file_check
+    path: "{{ grub_custom_file }}"
+  register: grub_custom_file_check
   check_mode: no
   tags:
     - always
 
 - name: Set a GRUB 2 password for single-user/maintenance modes
-  lineinfile:
-    dest: "{{ grub_defaults_file }}"
-    regexp: '^(#)?GRUB_PASSWORD'
-    line: 'GRUB_PASSWORD="{{ security_grub_password_hash }}"'
+  blockinfile:
+    path: "{{ grub_custom_file }}"
+    insertbefore: EOF
+    marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
+    block: |
+      set superusers="root"
+      password_pbkdf2 root {{ security_grub_password_hash }}
     state: present
   when:
-    - grub_defaults_file_check.stat.exists | bool
+    - grub_custom_file_check.stat.exists | bool
     - security_require_grub_authentication | bool
   notify:
     - update grub config
diff --git a/vars/debian.yml b/vars/debian.yml
index 7a82883d..e89dffc4 100644
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -30,7 +30,6 @@ pam_postlogin_file: /etc/pam.d/login
 vsftpd_conf_file: /etc/vsftpd.conf
 grub_conf_file: /boot/grub/grub.cfg
 grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg
-grub_defaults_file: /etc/default/grub
 aide_cron_job_path: /etc/cron.daily/aide
 aide_database_file: /var/lib/aide/aide.db
 aide_database_out_file: /var/lib/aide/aide.db.new
diff --git a/vars/main.yml b/vars/main.yml
index 08e7edee..ae7ad8aa 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -20,6 +20,9 @@
 #   - vars/redhat.yml
 #   - vars/ubuntu.yml
 
+## grub custom configuration
+grub_custom_file: /etc/grub.d/40_custom
+
 ## auditd configuration
 auditd_config:
   - parameter: disk_full_action
diff --git a/vars/redhat.yml b/vars/redhat.yml
index 0e1c666f..9949e871 100644
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -26,7 +26,6 @@ pam_postlogin_file: /etc/pam.d/postlogin
 vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
 grub_conf_file: /boot/grub2/grub.cfg
 grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
-grub_defaults_file: /etc/sysconfig/grub
 aide_cron_job_path: /etc/cron.d/aide
 aide_database_file: /var/lib/aide/aide.db.gz
 aide_database_out_file: /var/lib/aide/aide.db.new.gz
diff --git a/vars/suse.yml b/vars/suse.yml
index 0d68027d..f9ec6f35 100644
--- a/vars/suse.yml
+++ b/vars/suse.yml
@@ -28,7 +28,6 @@ grub_conf_file: /boot/grub2/grub.cfg
 # create the EFI distro directory. Since this information is not available on
 # Ansible, we have to improvise a bit...
 grub_conf_file_efi: "{% set os_id = ansible_distribution.split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
-grub_defaults_file: /etc/default/grub
 aide_cron_job_path: /etc/cron.daily/aide
 aide_database_file: /var/lib/aide/aide.db
 aide_database_out_file: /var/lib/aide/aide.db.new