documentation_complete: true


title: 'Set Boot Loader Password in grub2'

description: |-
    The grub2 boot loader should have a superuser account and password
    protection enabled to protect boot-time settings.
    <br /><br />
    Since plaintext passwords are a security risk, generate a hash for the password
    by running the following command:
    {{% if product in ["sle12", "sle15", "slmicro5", "slmicro6"] or 'ubuntu' in product %}}
    <pre># grub2-mkpasswd-pbkdf2</pre>
    {{% else %}}
    <pre># grub2-setpassword</pre>
    {{% endif %}}
    When prompted, enter the password that was selected.
    <br /><br />
    {{% if product in ["sle12", "sle15", "slmicro5", "slmicro6"] or 'ubuntu' in product %}}
    Using the hash from the output, modify the <tt>/etc/grub.d/40_custom</tt>
    file with the following content:
    <pre>set superusers="boot"
    password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
    </pre>
    NOTE: the bootloader superuser account and password MUST differ from the
    root account and password.
    Once the superuser password has been added,
    update the
    <tt>grub.cfg</tt> file by running:
    {{%- if "rhel" in product %}}
    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
    {{%- else %}}
    <pre>{{{ grub_command("update") }}}</pre>
    {{%- endif %}}
    {{% endif %}}

rationale: |-
    Password protection on the boot loader configuration ensures
    users with physical access cannot trivially alter
    important bootloader settings. These include which kernel to use,
    and whether to enter single-user mode.

severity: high

identifiers:
    cce@rhel8: CCE-80828-7
    cce@rhel9: CCE-83849-0
    cce@rhel10: CCE-87614-4
    cce@sle12: CCE-83044-8
    cce@sle15: CCE-83274-1
    cce@sle16: CCE-96047-6
    cce@slmicro5: CCE-93778-9
    cce@slmicro6: CCE-94664-0

references:
    cis-csc: 1,11,12,14,15,16,18,3,5
    cis@sle12: 1.5.1
    cis@sle15: 1.5.1
    cobit5: DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10
    cui: 3.4.5
    hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
    isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7'
    iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
    nist: CM-6(a)
    nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.PT-3
    ospp: FIA_UAU.1
    srg: SRG-OS-000080-GPOS-00048
    stigid@ol7: OL07-00-010482
    stigid@ol8: OL08-00-010150
    stigid@sle12: SLES-12-010430
    stigid@sle15: SLES-15-010190

ocil_clause: 'it does not produce any output'

ocil: |-
    First, check whether the password is defined in either {{{ grub2_boot_path }}}/user.cfg or
    {{{ grub2_boot_path }}}/grub.cfg.
    Run the following commands:
    <pre>$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/user.cfg
    $ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/grub.cfg
    </pre>

    Second, check that a superuser is defined in {{{ grub2_boot_path }}}/grub.cfg.
    <pre>$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$'  {{{ grub2_boot_path }}}/grub.cfg</pre>

warnings:
    - general: |-
        To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
        must be automated as a component of machine provisioning, or followed manually as outlined above.

        Also, do NOT manually add the superuser account and password to the
        <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.

platform: not container

fixtext: |-
    Configure {{{ full_name }}} to require a grub bootloader password for the grub superuser account.

    Generate an encrypted grub2 password for the grub superuser account with the following command:

    $ sudo grub2-setpassword
    Enter password:
    Confirm password:

    Edit the /etc/grub.d/40_custom file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:

    set superusers="[someuniquestringhere]"
    export superusers

    Once the superuser account has been added, update the grub.cfg file by running:

    {{%- if "rhel" in product %}}
    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
    {{%- else %}}
    <pre>{{{ grub_command("update") }}}</pre>
    {{%- endif %}}

srg_requirement: '{{{ full_name }}} systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.'