Title

The system must require passwords to change the boot device settings. (SPARC) (Cat III impact)

Discussion

Setting the EEPROM password helps prevent attackers who gain physical access to the system console from booting from an external device (such as a CD-ROM or floppy).

Check Content

This check applies only to SPARC-based systems. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine if the EEPROM security mode on SPARC-based systems is configured correctly. # eeprom security-mode If the output of this command is not "security-mode=command", this is a finding.

Fix Text

The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. # eeprom security-mode=command After entering the command above, the administrator will be prompted for a password. This password will be required to authorize any future command issued at boot-level on the system (the ok or > prompt) except for the normal multi-user boot command (i.e., the system will be able to reboot unattended). Write down the password and store it in a secure location.

Additional Identifiers

Rule ID: SV-216454r603267_rule

Vulnerability ID: V-216454

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.