=== modified file 'generic/serverguide/C/security.xml'
--- generic/serverguide/C/security.xml	2010-01-11 02:26:42 +0000
+++ generic/serverguide/C/security.xml	2010-01-12 02:27:42 +0000
@@ -391,7 +391,7 @@
 	  	</listitem>
 	  	<listitem>
 		<para>
-		Add the resulting hash value to the file <filename>/boot/grub/menu.lst</filename> in the following format:
+		Add the resulting hash value to the global section of the file <filename>/boot/grub/menu.lst</filename> in the following format:
 		</para>
 <programlisting>password --md5 $1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0</programlisting>
 	  	</listitem>
@@ -400,6 +400,17 @@
 		To require use of the password for entering single user mode, change the value of the <varname>lockalternative</varname> variable in the file <filename>/boot/grub/menu.lst</filename> to <varname>true</varname>, as shown in the following example.
 		</para>
 <programlisting># lockalternative=true</programlisting>
+		<para>
+		It is important to note that the # symbol is not a comment and should NOT be removed from the beginning of the line above. This is a template string that <application>GRUB</application> understands.  <application>GRUB</application> will add a lock statement to each kernel entry when the command <application>update-grub</application> is run.  This is done automatically when kernel packages are installed and upgraded.  
+		</para>
+		</listitem>
+                <listitem>
+                <para>
+		After modifying <filename>/boot/grub/menu.lst</filename>, you should run the <application>update-grub</application> command to commit your changes.
+		</para>
+<screen>
+<command>sudo update-grub</command>
+</screen>
 		</listitem>
 		</itemizedlist>
 	<note>