6.13 Secure the GRUB Menu - Check if 'lock' command is set after failsafe section

Information

Note: Please ensure 'lock' command is located after 'title Solaris failsafe' in file /boot/grub/menu.lst. Nessus can only verify existence/non-existence of 'lock' command.

GRUB is a boot loader for x86/x64 based systems that permits loading an OS image from any location. Oracle x86 systems support the use of a GRUB Menu password for the console.

Solution

Perform the following to implement the recommended state-
/boot/grub/bin/grub grub> md5crypt Password- [enter desired boot loader password] Encrypted: [enter md5 password string] grub> [enter control-C (^C)]
The actual menu.lst file to be used varies depending upon whether ZFS or UFS is used as the root file system. If a ZFS filesystem is being used, then edit the file /rpool/boot/grub/menu.lst. Otherwise edit the file /boot/grub/menu.lst. Add the following line to the menu.lst file above the entries added by bootadm-
password -md5 [enter md5 password string generated above]
Next, add the keyword lock to the Solaris failsafe boot entry as in the following example: title Solaris failsafe lock
Last, ensure the menu.lst file can only be read by the root user:
(UFS)
chmod 600 /boot/grub/menu.lst (ZFS)
chmod 600 /rpool/boot/grub/menu.lst

See Also

https://workbench.cisecurity.org/files/614

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-7(10)

Plugin: Unix

Control ID: ed132229a00ec594ac03114a5165400c52446f1ee9b8b2bdfda81716e8ae9e9f