6.17 Secure the GRUB Menu (Intel) - menu.lst perms

Information

GRUB is a boot loader for x64 based systems that permits loading an OS image from any location. Oracle x64 systems support the use of a GRUB Menu password for the console.

The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password.

Solution

Perform the following to implement the recommended state:
# /boot/grub/bin/grub
grub> md5crypt
Password: [enter desired boot loader password]
Encrypted: [enter md5 password string]
grub> [enter control-C (^C)]

The actual menu.lst file for Solaris 11 x64 is the /rpool/boot/grub/menu.lst. First, ensure the menu.lst file can only be read by the root user:
# chmod 600 /rpool/boot/grub/menu.lst

Next, add the following line to the menu.lst file above the entries added by bootadm:
password --md5 [enter md5 password string generated above]

Finally, add the keyword lock to the Solaris failsafe boot entry as in the following example (as well as to any other entries that you want to protect):
title Solaris failsafe
lock

See Also

https://workbench.cisecurity.org/files/611

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-7(9), CSCv6|3.1

Plugin: Unix

Control ID: 249df5592840076b89519d2fb3053188d31e73c6002d77684a5830b7f0b6472a