1.4.1 Ensure bootloader password is set

Information

Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters

Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off AppArmor at boot time).

Solution

Create an encrypted password with grub-mkpasswd-pbkdf2 :

# grub-mkpasswd-pbkdf2 --iteration-count=600000 --salt=64

Enter password: <password>
Reenter password: <password>
PBKDF2 hash of your password is <encrypted-password>

Add the following into a custom /etc/grub.d configuration file:

cat <<EOF
exec tail -n +2 $0
set superusers="<username>"
password_pbkdf2 <username> <encrypted-password>
EOF

The superuser/user information and password should not be contained in the /etc/grub.d/00_header file as this file could be overwritten in a package update.

If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS=

Example:

CLASS="--class gnu-linux --class gnu --class os --unrestricted"

Run the following command to update the grub2 configuration:

# update-grub

Impact:

If password protection is enabled, only the designated superuser can edit a GRUB 2 menu item by pressing "e" or access the GRUB 2 command line by pressing "c"

If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable to do so, the configuration files will have to be edited via a LiveCD or other means to fix the problem

You can add --unrestricted to the menu entries to allow the system to boot without entering a password. A password will still be required to edit menu items.

More Information:

https://help.ubuntu.com/community/Grub2/Passwords

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: e4ddc5b43196297c40767cd3df95de4b222d784bc68732f3efdf5665e01ddb02