6.2 Set EEPROM Security Mode and Log Failed Access (SPARC)

Information

Oracle SPARC systems support the use of an EEPROM password for the console.

Rationale:

Setting the EEPROM password helps prevent attackers who gain physical access to the system console from booting from an external device (such as a CD-ROM or floppy).

Impact:

If the EEPROM password is lost or forgotten and # eeprom security-mode=none cannot be completed, then the EEPROM must be replaced to gain access to the system

Solution

Perform the following to implement the recommended state:

# eeprom security-mode=command

# eeprom security-#badlogins=0

After entering the last command above, the administrator will be prompted for a password. This password will be required to authorize any future command issued at boot-level on the system (the ok or > prompt) except for the normal multi-user boot command (i.e., the system will be able to reboot unattended).
Write down the password and store it in a sealed envelope in a secure location (note that locked desk drawers are typically not secure). If the password is lost or forgotten, simply log into the system and run the following command:

# eeprom security-mode=none

This will erase the forgotten password. If the password is lost or forgotten and this action cannot be completed, then the EEPROM must be replaced to gain access to the system.
To set a new password, run the following command:

# eeprom security-mode=command

See Also

https://workbench.cisecurity.org/benchmarks/4777

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: 56c10a7fa7cf83af593ae25918864e7b205fcdaad08288c0b48048192821f6a4