6.17 Secure the GRUB Menu (Intel) - passwd.cfg - password_pbkdf2

Information

GRUB is a boot loader for x64 based systems that permits loading an OS image from any location. Oracle x64 systems support the use of a GRUB Menu password for the console.

The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password.

Solution

Run the following command to generate your password hash:
# /usr/lib/grub2/bios/bin/grub-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is <password_hash>

Create the file /usr/lib/grub2/bios/etc/grub.d/01_password:
#!/bin/sh
/usr/bin/cat > /rpool/boot/grub/password.cfg <<EOF
#
# GRUB password
#
set superusers="root"
password_pbkdf2 root <password_hash>
EOF
/usr/bin/chmod 600 /rpool/boot/grub/password.cfg
/usr/bin/echo 'source /@/boot/grub/password.cfg'

Run the following to finalize the password configuration and set menu timeout:
# /usr/bin/chmod 700 /usr/lib/grub2/bios/etc/grub.d/01_password
# /usr/sbin/bootadm set-menu timeout=30

Changes will take effect on the next reboot.

See Also

https://workbench.cisecurity.org/files/612

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-7(10)

Plugin: Unix

Control ID: 4a9fb803e7e984ac14f6e66fceab8b517f3cd9899d9945e732668ee2e58a1d27