{"description": "The grub2 boot loader should have a superuser account and password\nprotection enabled to protect boot-time settings.\n

\nSince plaintext passwords are a security risk, generate a hash for the password\nby running the following command:\n\n
# grub2-mkpasswd-pbkdf2
\n\nWhen prompted, enter the password that was selected.\n

\n\nUsing the hash from the output, modify the /etc/grub.d/40_custom\nfile with the following content:\n
set superusers=\"boot\"\npassword_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString\n
\nNOTE: the bootloader superuser account and password MUST differ from the\nroot account and password.\nOnce the superuser password has been added,\nupdate the\ngrub.cfg file by running:\n
update-grub
", "rationale": "Password protection on the boot loader configuration ensures\nusers with physical access cannot trivially alter\nimportant bootloader settings. These include which kernel to use,\nand whether to enter single-user mode.", "severity": "high", "references": {"cis-csc": ["1", "11", "12", "14", "15", "16", "18", "3", "5"], "cobit5": ["DSS05.02", "DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.06", "DSS06.10"], "cui": ["3.4.5"], "hipaa": ["164.308(a)(1)(ii)(B)", "164.308(a)(7)(i)", "164.308(a)(7)(ii)(A)", "164.310(a)(1)", "164.310(a)(2)(i)", "164.310(a)(2)(ii)", "164.310(a)(2)(iii)", "164.310(b)", "164.310(c)", "164.310(d)(1)", "164.310(d)(2)(iii)"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7"], "iso27001-2013": ["A.18.1.4", "A.6.1.2", "A.7.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.1", "A.9.4.2", "A.9.4.3", "A.9.4.4", "A.9.4.5"], "nist": ["CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-4", "PR.AC-6", "PR.AC-7", "PR.PT-3"], "ospp": ["FIA_UAU.1"], "srg": ["SRG-OS-000080-GPOS-00048"], "anssi": ["R5"], "cis": ["1.4.1"], "stigid": ["UBTU-22-212010"], "stigref": ["SV-260470r958472_rule"]}, "control_references": {"anssi": ["R5"], "cis": ["1.4.1"], "stigid": ["UBTU-22-212010"]}, "components": [], "identifiers": {}, "ocil_clause": "it does not produce any output", "ocil": "First, check whether the password is defined in either /boot/grub/user.cfg or\n/boot/grub/grub.cfg.\nRun the following commands:\n
$ sudo grep '^[\\s]*GRUB2_PASSWORD=grub\\.pbkdf2\\.sha512.*$' /boot/grub/user.cfg\n$ sudo grep '^[\\s]*password_pbkdf2[\\s]+.*[\\s]+grub\\.pbkdf2\\.sha512.*$' /boot/grub/grub.cfg\n
\n\nSecond, check that a superuser is defined in /boot/grub/grub.cfg.\n
$ sudo grep '^[\\s]*set[\\s]+superusers=(\"?)[a-zA-Z_]+\\1$'  /boot/grub/grub.cfg
", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to require a grub bootloader password for the grub superuser account.\n\nGenerate an encrypted grub2 password for the grub superuser account with the following command:\n\n$ sudo grub2-setpassword\nEnter password:\nConfirm password:\n\nEdit the /etc/grub.d/40_custom file and add or modify the following lines in the \"### BEGIN /etc/grub.d/01_users ###\" section:\n\nset superusers=\"[someuniquestringhere]\"\nexport superusers\n\nOnce the superuser account has been added, update the grub.cfg file by running:\n
update-grub
", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.", "warnings": [{"general": "To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation\nmust be automated as a component of machine provisioning, or followed manually as outlined above.\n\nAlso, do NOT manually add the superuser account and password to the\ngrub.cfg file as the grub2-mkconfig command overwrites this file."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must require a boot loader superuser password.", "vuldiscussion": "To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nPassword protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.", "checktext": "Verify the boot loader superuser password has been set with the following command:\n\n$ sudo grep password_pbkdf2 /etc/grub2.cfg\n\npassword_pbkdf2 <superusers-accountname> ${GRUB2_PASSWORD}\n\nTo verify the boot loader superuser account password has been set and the password encrypted, run the following command:\n\n$ sudo cat /boot/grub2/user.cfg\n\nGRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC\n2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0\n916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7\n0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828\n\nIf a \"GRUB2_PASSWORD\" is not set, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to require a grub bootloader password for the grub superuser account.\n\nGenerate an encrypted grub2 password for the grub superuser account with the following command:\n\n$ sudo grub2-setpassword\nEnter password:\nConfirm password:"}}, "platform": "not container", "platforms": ["not container"], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": ["not_container"], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Boot Loader Password in grub2", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml", "template": null}