CCE-95055-0Platform: cpe:/o:ubuntu:ubuntu_linux:22.04, cpe:/o:ubuntu:ubuntu_linux:20.04, cpe:/o:debian:debian_linux:11.x, cpe:/o:ubuntu:ubuntu_linux:23.04 | Date: (C)2020-10-15 (M)2023-09-01 |
Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters
Rationale:
Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time).
Fix:
Create an encrypted password with grub-md5-crypt:
# grub-mkpasswd-pbkdf2
Enter password: <password> Reenter password: <password>
Your PBKDF2 is <encrypted-password>
Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file:
cat <<EOF
set superusers=<user-list>
password_pbkdf2 <user> <encrypted-password>
EOF
Unless the -unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters:
CLASS=-class gnu-linux -class gnu -class os -unrestricted
Run the following to update the grub configuration:
# update-grub
Parameter:
[yes/no]
Technical Mechanism:
Create an encrypted password with grub-md5-crypt:
# grub-mkpasswd-pbkdf2 Enter password: password Reenter password: password
Your PBKDF2 is encrypted-password
Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file:
cat EOF
set superusers= user-list
password_pbkdf2 user encrypted-password
EOF
Unless the -unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters:
CLASS=-class gnu-linux -class gnu -class os -unrestricted
Run the following to update the grub configuration:
# update-grub
CCSS Severity: | CCSS Metrics: |
CCSS Score : 6.8 | Attack Vector: PHYSICAL |
Exploit Score: 0.9 | Attack Complexity: LOW |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:87285 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:92212 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:85131 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:65930 |