Detections
Analytics
1.4.1 Ensure bootloader password is set
Information
Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parametersRationale:
Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time).
Impact:
If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing 'e' or access the GRUB 2 command line by pressing 'c'
If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem
You can add --unrestricted to the menu entries to allow the system to boot without entering a password. Password will still be required to edit menu items.
Solution
For newer grub2 based systems (Release 7.2 and newer), create an encrypted password with grub2-setpassword :# grub2-setpassword
Enter password: <password>
Confirm password: <password>
Run the following command to script the grub2 configuration:
#!/usr/bin/env bash
GFCU()
{
grubfile=$(find /boot -type f ( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' ) -exec grep -Pl '^h*(kernelopts=|linux|kernel)' {} ;)
grubdir=$(dirname '$grubfile')
grub2-mkconfig -o '$grubdir/grub.cfg'
}
GFCU
OR for older grub2 based systems, create an encrypted password with grub2-mkpasswd-pbkdf2:
# grub2-mkpasswd-pbkdf2
Enter password: <password>
Reenter password: <password>
Your PBKDF2 is <encrypted-password>
Add the following into /etc/grub.d/01_users or a custom /etc/grub.d configuration file:
cat <<EOF
set superusers='<username>'
password_pbkdf2 <username> <encrypted-password>
EOF
Note:
If placing the information in a custom file, do not include the 'cat << EOF' and 'EOF' lines as the content is automatically added from these files
The superuser/user information and password should not be contained in the /etc/grub.d/00_header file. The information can be placed in any /etc/grub.d file as long as that file is incorporated into grub.cfg. It is preferable to enter this data into a custom file, such as /etc/grub.d/40_custom, so it is not overwritten should the Grub package be updated
Run the following command to script the grub2 configuration:
#!/usr/bin/env bash
GFCU()
{
grubfile=$(find /boot -type f ( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' ) -exec grep -Pl '^h*(kernelopts=|linux|kernel)' {} ;)
grubdir=$(dirname '$grubfile')
grub2-mkconfig -o '$grubdir/grub.cfg'
}
GFCU
See Also
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, Rule-ID|SV-204436r603261_rule, Rule-ID|SV-204438r744095_rule, Rule-ID|SV-204439r603261_rule, Rule-ID|SV-204440r744098_rule
Plugin: Unix
Control ID: 9ab63c843c2f63b46c680dee1f713bc1b2374b4d9c1ef542e1e94de1572c6212