Check: OL6-00-000068
Oracle Linux 6 STIG:
OL6-00-000068
(in versions v2 r7 through v1 r9)
Title
The system boot loader must require authentication. (Cat II impact)
Discussion
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Check Content
To verify the boot loader password has been set and encrypted, run the following command: # grep password /boot/grub/grub.conf The output should show the following: password --encrypted $6$[rest-of-the-password-hash] If it does not, this is a finding.
Fix Text
The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]
Additional Identifiers
Rule ID: SV-208843r793628_rule
Vulnerability ID: V-208843
Group Title: SRG-OS-000080
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |