{"description": "The grub2 boot loader should have a superuser account and password\nprotection enabled to protect boot-time settings.\n<br /><br />\nSince plaintext passwords are a security risk, generate a hash for the password\nby running the following command:\n\n<pre># grub2-mkpasswd-pbkdf2</pre>\n\nWhen prompted, enter the password that was selected.\n<br /><br />\n\nUsing the hash from the output, modify the <tt>/etc/grub.d/40_custom</tt>\nfile with the following content:\n<pre>set superusers=\"boot\"\npassword_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString\n</pre>\nNOTE: the bootloader superuser account and password MUST differ from the\nroot account and password.\nOnce the superuser password has been added,\nupdate the\n<tt>grub.cfg</tt> file by running:\n<pre>update-grub </pre>", "rationale": "Password protection on the boot loader configuration ensures\nusers with physical access cannot trivially alter\nimportant bootloader settings. These include which kernel to use,\nand whether to enter single-user mode.", "severity": "high", "references": {"cis-csc": ["11", "12", "14", "15", "16", "18", "3", "5"], "cobit5": ["DSS05.02", "DSS05.04", "DSS05.05", "DSS05.07", "DSS06.03", "DSS06.06"], "cui": ["3.4.5"], "hipaa": ["164.308(a)(1)(ii)(B)", "164.308(a)(7)(i)", "164.308(a)(7)(ii)(A)", "164.310(a)(1)", "164.310(a)(2)(i)", "164.310(a)(2)(ii)", "164.310(a)(2)(iii)", "164.310(b)", "164.310(c)", "164.310(d)(1)", "164.310(d)(2)(iii)"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7"], "iso27001-2013": ["A.6.1.2", "A.7.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nist": ["CM-6(a)"], "nist-csf": ["PR.AC-4", "PR.AC-6", "PR.PT-3"], "ospp": ["FIA_UAU.1"], "srg": ["SRG-OS-000080-GPOS-00048"], "anssi": ["R5"], "cis": ["1.4.1"], "stigid": ["UBTU-22-212010"], "stigref": ["SV-260470r958472_rule"]}, "control_references": {"anssi": ["R5"], "cis": ["1.4.1"], "stigid": ["UBTU-22-212010"]}, "components": [], "identifiers": {}, "ocil_clause": "no password is set", "ocil": "To verify the boot loader superuser password has been set, run the following command:\n$ sudo grep \"^[\\s]*GRUB2_PASSWORD=grub\\.pbkdf2\\.sha512.*$\" /boot/grub/user.cfg\nThe output should be similar to:\n<pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC\n2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0\n916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7\n0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to use a secure UEFI boot loader password.\n\nRun the following command:\n$ sudo grub2-setpassword\n\nWhen prompted, enter the password that was selected.\nUsing the hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following content:\nUse a unique account name for the superusers account.\n\nset superusers=\"superusers-account\"\npassword_pbkdf2 superusers-account grub.pbkdf2.sha512.$password_hash\n\nThen, update the grub.cfg file by running:\n<pre>update-grub </pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 systems with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.", "warnings": [{"general": "To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation\nmust be automated as a component of machine provisioning, or followed manually as outlined above.\n\nAlso, do NOT manually add the superuser account and password to the\n<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 Must Enforce Approved Authorizations For Logical Access To Information And System Resources In Accordance With Applicable Access Control Policies.", "vuldiscussion": "Password protection on the boot loader configuration ensures\nusers with physical access cannot trivially alter\nimportant bootloader settings. These include which kernel to use,\nand whether to enter single-user mode.", "checktext": "To verify the boot loader superuser password has been set, run the following\ncommand:\n\n sudo grep \"password\" /etc/grub2-efi.cfg\n\nThe output should show the following:\n password_pbkdf2  superusers-account   ${GRUB2_PASSWORD}\nTo verify the boot loader superuser account password has been set,\nand the password encrypted, run the following command:\n\n sudo cat /boot/grub2/user.cfg\nThe output should be similar to:\n GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC\n2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0\n916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7\n0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828\n\nIf it does not, this is a finding."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set the UEFI Boot Loader Password", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml", "template": null}