Ever since the introduction of Red Hat/CentOS 7.2, setting a GRUB 2 password to prevent kernel parameter edits is easy. All you have to do is to run one command and choose a password:

[donnie@localhost ~]$ sudo grub2-setpassword

[sudo] password for donnie:
Enter password:
Confirm password:
[donnie@localhost ~]$

That's all there is to it. The password hash will be stored in the /boot/grub2/user.cfg file.

Now, when you reboot the machine and try to do a kernel parameter edit, you'll be prompted to enter a username and password:

Note that you'll enter root as the username, even if the root user's password hasn't been set on the system. The root user, in this case, is just the superuser for GRUB 2.