Authentication to Grub bootloader is not configured
Description
A bootloader, also known as a boot program or bootstrap loader, is a special operating system software loads and starts the boot time tasks and processes of an operating system or the computer system. Grub is bootloader for many Linux OS and the grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually labeled as grub.cfg and stored in /boot/grub2/ or /boot/grub/. It is recommended to configure the grub confguration file to require a boot password upon the execution of the boot loader and prevent unauthorized users from adding or changing boot parameters.
Severity
critical
Category
Linux - Grub Hardening
Resolution
Follow the below steps to resolve the misconfiguration.
Follow the below steps to resolve the misconfiguration.
Create an encrypted password with grub-mkpasswd-pbkdf2:
Run the following command to create an encrypted password
grub-mkpasswd-pbkdf2
Enter a password and copy the encrypted-password at the end of the prompt.
Add the following content with replacing your <username> and <encrypted-password>into the /etc/grub.d/grub2_passwd configuration file:
cat <<EOF
set superusers="<username>"
password_pbkdf2 <username> <encrypted-password>
EOF
Potential issues that may arise after applying the resolution
Altering the existing security setting may create the following impact in your network operations.
Does remediation require reboot?
No
Vulnerability Manager Plus tracks security configurations and remediate misconfigurations in your network systems from a centralized console. View a list of all the security misconfigurations detected by Vulnerability Manager Plus.
