6.17 Secure the GRUB Menu (Intel) - passwd.cfg

Information

GRUB is a boot loader for x64 based systems that permits loading an OS image from any
location. Oracle x64 systems support the use of a GRUB Menu password for the console.

The flexibility that GRUB provides creates a security risk if its configuration is modified by
an unauthorized user. The failsafe menu entry needs to be secured in the same
environments that require securing the systems firmware to avoid unauthorized
removable media boots. Setting the GRUB Menu password helps prevent attackers with
physical access to the system console from booting off some external device (such as a CD-
ROM or floppy) and subverting the security of the system. The actions described in this
section will ensure you cannot get to failsafe or any of the GRUB command line options
without first entering the password.

Solution

Run the following command to generate your password hash-# /usr/lib/grub2/bios/bin/grub-mkpasswd-pbkdf2
Enter password-
Reenter password-
PBKDF2 hash of your password is <password_hash>Create the file /usr/lib/grub2/bios/etc/grub.d/01_password-#!/bin/sh
/usr/bin/cat > /rpool/boot/grub/password.cfg<<EOF
#
# GRUB password
#
set superusers='root'
password_pbkdf2 root <password_hash>
EOF
/usr/bin/chmod 600 /rpool/boot/grub/password.cfg
/usr/bin/echo 'source /@/boot/grub/password.cfg'Run the following to finalize the password configuration and set menu timeout-# /usr/bin/chmod 700 /usr/lib/grub2/bios/etc/grub.d/01_password
# /usr/sbin/bootadm set-menu timeout=30Changes will take effect on the next reboot.
7 User Accounts and EnvironmentThis section provides guidance on setting up secure defaults for system and user accounts
and their environment. Guidance for monitoring these settings and others that may change
over time is provided in the System Maintenance section of this document.

See Also

https://workbench.cisecurity.org/files/616

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-7(9), CSCv6|3.1

Plugin: Unix

Control ID: ed2b22e7738c75e64517554c6164c6add73f5af3f1c99b94257330804f1eb6d6