6.17 Secure the GRUB Menu (Intel) - grub2_defs.bios GRUB_TIMEOUT = 30

Information

NOTE: The change to grub2_defs.bios is a result of executing bootadm in the solution.

Solution

Run the following command to generate your password hash:
# /usr/lib/grub2/bios/bin/grub-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is <password_hash>

Create the file /usr/lib/grub2/bios/etc/grub.d/01_password:
#!/bin/sh
/usr/bin/cat > /rpool/boot/grub/password.cfg <<EOF
#
# GRUB password
#
set superusers="root"
password_pbkdf2 root <password_hash>
EOF
/usr/bin/chmod 600 /rpool/boot/grub/password.cfg
/usr/bin/echo 'source /@/boot/grub/password.cfg'

Run the following to finalize the password configuration and set menu timeout:
# /usr/bin/chmod 700 /usr/lib/grub2/bios/etc/grub.d/01_password
# /usr/sbin/bootadm set-menu timeout=30

Changes will take effect on the next reboot.

See Also

https://workbench.cisecurity.org/files/612

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-7(10)

Plugin: Unix

Control ID: 5947ce5dd540e65bd3af057febb7c122ed3edc804006f3a31fe977fc79e4efec