6.15 Secure the GRUB Menu (Intel)

Information

GRUB is a boot loader for x64 based systems that permits loading an OS image from any
location. Oracle x64 systems support the use of a GRUB Menu password for the console.

Rationale:

The flexibility that GRUB provides creates a security risk if its configuration is modified by
an unauthorized user. The failsafe menu entry needs to be secured in the same
environments that require securing the systems firmware to avoid unauthorized
removable media boots. Setting the GRUB Menu password helps prevent attackers with
physical access to the system console from booting off some external device (such as a CD-
ROM or floppy) and subverting the security of the system. The actions described in this
section will ensure you cannot get to failsafe or any of the GRUB command line options
without first entering the password.

Solution

Run the following command to generate your password hash:

# /usr/lib/grub2/bios/bin/grub-mkpasswd-pbkdf2

Enter password:
Reenter password:
PBKDF2 hash of your password is <em><password_hash></em>

Create the file /usr/lib/grub2/bios/etc/grub.d/01_password:

#!/bin/sh
/usr/bin/cat > /rpool/boot/grub/password.cfg<<EOF
#
# GRUB password
#
set superusers="root"
password_pbkdf2 root <em><password_hash></em>
EOF
/usr/bin/chmod 600 /rpool/boot/grub/password.cfg
/usr/bin/echo 'source /@/boot/grub/password.cfg'

Run the following to finalize the password configuration and set menu timeout:

# /usr/bin/chmod 700 /usr/lib/grub2/bios/etc/grub.d/01_password

# /usr/sbin/bootadm set-menu timeout=30

Changes will take effect on the next reboot.

See Also

https://workbench.cisecurity.org/files/2582