STIGQter: STIG Summary: Solaris 10 X86 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The system boot loader must require authentication.

DISA Rule

SV-220124r603266_rule

Vulnerability Number

V-220124

Group Title

SRG-OS-000080

Rule Version

GEN008700

Severity

CAT I

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

The GRUB console boot loader can be configured to use an MD5 encrypted password by adding password --md5 password-hash to the /pool-name/boot/grub/menu.lst or /boot/grub/menu.lst file. Use grub-md5-crypt to generate MD5 passwords from the command line.

Check Contents

This check applies to the global zone only. Determine the type of zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

On systems that have a ZFS root, the active menu.lst file is typically located at /pool-name/boot/grub/menu.lst where "pool-name" is the mount point for the top-level dataset.

On systems that have a UFS root, the active menu.lst file is typically located at /boot/grub/menu.lst. To locate the active GRUB menu, use the bootadm command with the list-menu option:

# bootadm list-menu

Check the menu.lst file for the use of passwords.

Procedure:
# more /pool-name/boot/grub/menu.lst
or
# more /boot/grub/menu.lst

Check for a password configuration line, such as the one below.
password --md5 <password-hash>

This line should be just below the line beginning with "timeout". Please note <password-hash> will be replaced by the actual MD5 encrypted password. If the password line is not in either of the files, this is a finding.

Vulnerability Number

V-220124

Documentable

False

Rule Version

GEN008700

Severity Override Guidance

This check applies to the global zone only. Determine the type of zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

On systems that have a ZFS root, the active menu.lst file is typically located at /pool-name/boot/grub/menu.lst where "pool-name" is the mount point for the top-level dataset.

On systems that have a UFS root, the active menu.lst file is typically located at /boot/grub/menu.lst. To locate the active GRUB menu, use the bootadm command with the list-menu option:

# bootadm list-menu

Check the menu.lst file for the use of passwords.

Procedure:
# more /pool-name/boot/grub/menu.lst
or
# more /boot/grub/menu.lst

Check for a password configuration line, such as the one below.
password --md5 <password-hash>

This line should be just below the line beginning with "timeout". Please note <password-hash> will be replaced by the actual MD5 encrypted password. If the password line is not in either of the files, this is a finding.

Check Content Reference

M

Target Key

4061

Comments