Rules Related To 'grub2'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Enable Kernel Page-Table Isolation (KPTI)

coreos_pti_kernel_argument

Description

To enable Kernel page-table isolation, add the argument pti=on to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale

Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).

Disable vsyscalls

coreos_vsyscall_kernel_argument

Description

To disable use of virtual syscalls, add the argument vsyscall=none to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale

Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.

Verify the UEFI Boot Loader grub.cfg Group Ownership

file_groupowner_efi_grub2_cfg

Description

The file /boot/grub2/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/grub2/grub.cfg, run the command:

$ sudo chgrp root /boot/grub2/grub.cfg

Rationale

The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

Verify /boot/grub2/user.cfg Group Ownership

file_groupowner_efi_user_cfg

Description

The file /boot/grub2/user.cfg should be group-owned by the root group to prevent reading or modification of the file. To properly set the group owner of /boot/grub2/user.cfg, run the command:

$ sudo chgrp root /boot/grub2/user.cfg

Rationale

The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Verify /boot/grub2/grub.cfg Group Ownership

file_groupowner_grub2_cfg

Description

The file /boot/grub2/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/grub2/grub.cfg, run the command:

$ sudo chgrp root /boot/grub2/grub.cfg

Rationale

The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

Verify /boot/grub2/user.cfg Group Ownership

file_groupowner_user_cfg

Description

The file /boot/grub2/user.cfg should be group-owned by the root group to prevent reading or modification of the file. To properly set the group owner of /boot/grub2/user.cfg, run the command:

$ sudo chgrp root /boot/grub2/user.cfg

Rationale

The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Verify the UEFI Boot Loader grub.cfg User Ownership

file_owner_efi_grub2_cfg

Description

The file /boot/grub2/grub.cfg should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/grub2/grub.cfg, run the command:

$ sudo chown root /boot/grub2/grub.cfg 

Rationale

Only root should be able to modify important boot parameters.

Verify /boot/grub2/user.cfg User Ownership

file_owner_efi_user_cfg

Description

The file /boot/grub2/user.cfg should be owned by the root user to prevent reading or modification of the file. To properly set the owner of /boot/grub2/user.cfg, run the command:

$ sudo chown root /boot/grub2/user.cfg 

Rationale

Only root should be able to modify important boot parameters. Also, non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Verify /boot/grub2/grub.cfg User Ownership

file_owner_grub2_cfg

Description

The file /boot/grub2/grub.cfg should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/grub2/grub.cfg, run the command:

$ sudo chown root /boot/grub2/grub.cfg 

Rationale

Only root should be able to modify important boot parameters.

Verify /boot/grub2/user.cfg User Ownership

file_owner_user_cfg

Description

The file /boot/grub2/user.cfg should be owned by the root user to prevent reading or modification of the file. To properly set the owner of /boot/grub2/user.cfg, run the command:

$ sudo chown root /boot/grub2/user.cfg 

Rationale

Only root should be able to modify important boot parameters. Also, non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Verify the UEFI Boot Loader grub.cfg Permissions

file_permissions_efi_grub2_cfg

Description

File permissions for /boot/grub2/grub.cfg should be set to 700. To properly set the permissions of /boot/grub2/grub.cfg, run the command:

$ sudo chmod 700 /boot/grub2/grub.cfg

Rationale

Proper permissions ensure that only the root user can modify important boot parameters.

Verify /boot/grub2/user.cfg Permissions

file_permissions_efi_user_cfg

Description

File permissions for /boot/grub2/user.cfg should be set to 600. To properly set the permissions of /boot/grub2/user.cfg, run the command:

$ sudo chmod 600 /boot/grub2/user.cfg

Rationale

Proper permissions ensure that only the root user can read or modify important boot parameters.

Verify /boot/grub2/grub.cfg Permissions

file_permissions_grub2_cfg

Description

File permissions for /boot/grub2/grub.cfg should be set to 600. To properly set the permissions of /boot/grub2/grub.cfg, run the command:

$ sudo chmod 600 /boot/grub2/grub.cfg

Rationale

Proper permissions ensure that only the root user can modify important boot parameters.

Verify /boot/grub2/user.cfg Permissions

file_permissions_user_cfg

Description

File permissions for /boot/grub2/user.cfg should be set to 600. To properly set the permissions of /boot/grub2/user.cfg, run the command:

$ sudo chmod 600 /boot/grub2/user.cfg

Rationale

Proper permissions ensure that only the root user can read or modify important boot parameters.

Set the Boot Loader Admin Username to a Non-Default Value

grub2_admin_username

Description

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change.

Do not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

Change the superuser to a different username (The default is 'root').

$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users


Once the superuser account has been added, update the grub.cfg file by running:
grubby --update-kernel=ALL

Rationale

Having a non-default grub superuser username makes password-guessing attacks less effective.

Enable Auditing for Processes Which Start Prior to the Audit Daemon

grub2_audit_argument

Description

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain audit=1 as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"

Rationale

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Extend Audit Backlog Limit for the Audit Daemon

grub2_audit_backlog_limit_argument

Description

To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain audit_backlog_limit=8192 as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit_backlog_limit=8192"

Rationale

audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.

Verify that Interactive Boot is Disabled

grub2_disable_interactive_boot

Description

Amazon Linux 2023 systems support an "interactive boot" option that can be used to prevent services from being started. On a Amazon Linux 2023 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument in /etc/default/grub. Remove any instance of

systemd.confirm_spawn=(1|yes|true|on)
from the kernel arguments in that file to disable interactive boot. Recovery booting must also be disabled. Confirm that GRUB_DISABLE_RECOVERY=true is set in /etc/default/grub. It is also required to change the runtime configuration, run:
/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
grub2-mkconfig -o /boot/grub2/grub.cfg

Rationale

Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.

Disable Recovery Booting

grub2_disable_recovery

Description

Amazon Linux 2023 systems support an "recovery boot" option that can be used to prevent services from being started. The GRUB_DISABLE_RECOVERY configuration option in /etc/default/grub should be set to true to disable the generation of recovery mode menu entries. It is also required to change the runtime configuration, run:

$ sudo grubby --update-kernel=ALL

Rationale

Using recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.

Ensure AppArmor is enabled in the bootloader configuration

grub2_enable_apparmor

Description

Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment, enact equivalent settings.

Rationale

AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.

Enable FIPS Mode in GRUB2

grub2_enable_fips_mode

Description

To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:

$ sudo dnf install dracut-fips
dracut -f
After the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"
Finally, rebuild the grub.cfg file by using the
grub2-mkconfig -o
command as follows:

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

IOMMU configuration directive

grub2_enable_iommu_force

Description

On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. Configure the default Grub2 kernel command line to contain iommu=force as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) iommu=force"

Rationale

On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by hardware devices.

Ensure SELinux Not Disabled in /etc/default/grub

grub2_enable_selinux

Description

SELinux can be disabled at boot time by an argument in /etc/default/grub. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.

Rationale

Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.

Configure kernel to zero out memory before allocation

grub2_init_on_alloc_argument

Description

To configure the kernel to zero out memory before allocating it, add the init_on_alloc=1 argument to the default GRUB 2 command line. Configure the default Grub2 kernel command line to contain init_on_alloc=1 as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) init_on_alloc=1"

Rationale

When the kernel configuration option init_on_alloc is enabled, all page allocator and slab allocator memory will be zeroed when allocated, eliminating many kinds of "uninitialized heap memory" flaws, effectively preventing data leaks.

Ensure IPv6 is disabled through kernel boot parameter

grub2_ipv6_disable_argument

Description

To disable IPv6 protocol support in the Linux kernel, add the argument ipv6.disable=1 to the default GRUB2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain ipv6.disable=1 as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"

Rationale

Any unnecessary network stacks, including IPv6, should be disabled to reduce the vulnerability to exploitation.

Configure kernel to trust the CPU random number generator

grub2_kernel_trust_cpu_rng

Description

There exist two ways how to ensure that the Linux kernel trusts the CPU hardware random number generator. If the option is configured during kernel compilation, e.g. the option CONFIG_RANDOM_TRUST_CPU is set to Y, make sure that it is not overridden with the boot parameter. There must not exist the boot parameter random.trust_cpu=off. If the option is not compiled in, make sure that random.trust_cpu=on is configured as a boot parameter. Configure the default Grub2 kernel command line to contain random.trust_cpu=on as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) random.trust_cpu=on"

Rationale

The Linux kernel offers an option which signifies if the kernel should trust data provided by CPU hardware random number generator. Hardware random number generators can provide random data very quickly and are used to generate random cryptographic keys. They can be useful during boot time when other means of getting random data can be slow because there is not yet enough entropy in the system.

Configure L1 Terminal Fault mitigations

grub2_l1tf_argument

Description

L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged speculative access to data which is available in the Level 1 Data Cache when the page table entry isn't present. Select the appropriate mitigation by adding the argument l1tf=$var_l1tf_options to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain l1tf=$var_l1tf_options as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) l1tf=$var_l1tf_options"
Since Linux Kernel 4.19 you can check the L1TF vulnerability state with the following command: cat /sys/devices/system/cpu/vulnerabilities/l1tf

Rationale

The L1TF vulnerability allows an attacker to bypass memory access security controls imposed by the system or hypervisor. The L1TF vulnerability allows read access to any physical memory location that is cached in the L1 Data Cache.

Force kernel panic on uncorrected MCEs

grub2_mce_argument

Description

A Machine Check Exception is an error generated by the CPU itdetects an error in itself, memory or I/O devices. These errors may be corrected and generate a check log entry, if an error cannot be corrected the kernel may panic or SIGBUS. To force the kernel to panic on any uncorrected error reported by Machine Check set the MCE tolerance to zero by adding mce=0 to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain mce=0 as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) mce=0"

Rationale

Allowing uncorrected errors to result on a SIGBUS may allow an attacker to continue trying to exploit a vulnerability such as Rowhammer.

Configure Microarchitectural Data Sampling mitigation

grub2_mds_argument

Description

Microarchitectural Data Sampling (MDS) is a hardware vulnerability which allows unprivileged speculative access to data which is available in various CPU internal buffers. When performing store, load, L1 refill operations, processors write data into temporary microarchitectural structures (buffers), and the data in the buffer can be forwarded to load operations as an optimization. Under certain conditions, data unrelated to the load operations can be speculatively forwarded from the buffers to a disclosure gadget which allows in turn to infer the value via a cache side channel attack. Select the appropriate mitigation by adding the argument mds=$var_mds_options to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain mds=$var_mds_options as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) mds=$var_mds_options"
Not all processors are affected by all variants of MDS, but the mitigation mechanism is identical for all of them. Since Linux Kernel 5.2 you can check whether the system is vulnerable or mitigated with the following command: cat /sys/devices/system/cpu/vulnerabilities/mds

Rationale

The MDS vulnerability allows an attacker to sample data from internal CPU buffers.

System Must Avoid Meltdown and Spectre Exploit Vulnerabilities in Modern Processors

grub2_mitigation_argument

Description

Verify that Meltdown mitigations are not disabled:

$ sudo grubby --info=ALL | grep mitigations
The mitigations must not be set to "off".

Rationale

Hardware vulnerabilities allow programs to steal data that is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to obtain secrets stored in the memory of other running programs. This might include passwords stored in a password manager or browser; personal photos, emails, and instant messages; and business-critical documents.

Boot Loader Is Not Installed On Removeable Media

grub2_no_removeable_media

Description

The system must not allow removable media to be used as the boot loader. Remove alternate methods of booting the system from removable media. usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the lines:

set root='hd0,msdos1'

Rationale

Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader.

Ensure SMAP is not disabled during boot

grub2_nosmap_argument_absent

Description

The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into memory pages in the user space, it is enabled by default since Linux kernel 3.7. But it could be disabled through kernel boot parameters. Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by the nosmap boot paramenter option. Check that the line

GRUB_CMDLINE_LINUX="..."
within /etc/default/grub doesn't contain the argument nosmap. Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --remove-args="nosmap"

Rationale

Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and manipulation of data in the user space.

Ensure SMEP is not disabled during boot

grub2_nosmep_argument_absent

Description

The SMEP is used to prevent the supervisor mode from executing user space code, it is enabled by default since Linux kernel 3.0. But it could be disabled through kernel boot parameters. Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by the nosmep boot paramenter option. Check that the line

GRUB_CMDLINE_LINUX="..."
within /etc/default/grub doesn't contain the argument nosmep. Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --remove-args="nosmep"

Rationale

Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows the kernel to unintentionally execute code in less privileged memory space.

Disable Kernel Support for USB via Bootloader Configuration

grub2_nousb_argument

Description

All USB support can be disabled by adding the nousb argument to the kernel's boot loader configuration. To do so, append "nousb" to the kernel line in /etc/default/grub as shown:

kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb

Rationale

Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems.

Enable randomization of the page allocator

grub2_page_alloc_shuffle_argument

Description

To enable randomization of the page allocator in the kernel, add the page_alloc.shuffle=1 argument to the default GRUB 2 command line. Configure the default Grub2 kernel command line to contain page_alloc.shuffle=1 as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) page_alloc.shuffle=1"

Rationale

The CONFIG_SHUFFLE_PAGE_ALLOCATOR config option is primarily focused on improving the average utilization of a direct-mapped memory-side-cache. Aside of this performance effect, it also reduces predictability of page allocations in situations when the bad actor can crash the system and somehow leverage knowledge of (page) allocation order right after a fresh reboot, or can control the timing between a hot-pluggable memory node (as in NUMA node) and applications allocating memory ouf of that node. The page_alloc.shuffle=1 kernel command line parameter then forces this functionality irrespectively of memory cache architecture.

Enable page allocator poisoning

grub2_page_poison_argument

Description

To enable poisoning of free pages, add the argument page_poison=1 to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain page_poison=1 as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) page_poison=1"

Rationale

Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

Set Boot Loader Password in grub2

grub2_password

Description

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:

# grub2-setpassword
When prompted, enter the password that was selected.

Rationale

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Set Boot Loader Password in grub2 - systems prior to version 7.2

grub2_password_legacy

Description

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate an encrypted grub2 password for the grub superusers with the following command:

$ grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected.

Using the hash from the output, modify the /etc/grub.d/40_custom file with the following content:
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.VeryLongString
Once the superuser password has been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg

Rationale

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Enable Kernel Page-Table Isolation (KPTI)

grub2_pti_argument

Description

To enable Kernel page-table isolation, add the argument pti=on to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain pti=on as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) pti=on"

Rationale

Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).

Configure the confidence in TPM for entropy

grub2_rng_core_default_quality_argument

Description

The TPM security chip that is available in most modern systems has a hardware RNG. It is also used to feed the entropy pool, but generally not credited entropy. Use rng_core.default_quality in the kernel command line to set the trust level on the hardware generators. The trust level defines the amount of entropy to credit. A value of 0 tells the system not to trust the hardware random number generators available, and doesn't credit any entropy to the pool. A value of 1000 assigns full confidence in the generators, and credits all the entropy it provides to the pool. Note that the value of rng_core.default_quality is global, affecting the trust on all hardware random number generators. Select the appropriate confidence by adding the argument rng_core.default_quality=$var_rng_core_default_quality to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain rng_core.default_quality=$var_rng_core_default_quality as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) rng_core.default_quality=$var_rng_core_default_quality"

Rationale

A system may struggle to initialize its entropy pool and end up starving. Crediting entropy from the hardware number generators available in the system helps fill up the entropy pool.

Disable merging of slabs with similar size

grub2_slab_nomerge_argument

Description

The kernel may merge similar slabs together to reduce overhead and increase cache hotness of objects. Disabling merging of slabs keeps the slabs separate and reduces the risk of kernel heap overflows overwriting objects in merged caches. To disable merging of slabs in the Kernel add the argument slab_nomerge=yes to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain slab_nomerge=yes as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) slab_nomerge=yes"

Rationale

Disabling the merge of slabs of similar sizes prevents the kernel from merging a seemingly useless but vulnerable slab with a useful and valuable slab. This increase the risk that a heap overflow could overwrite objects from merged caches, with unmerged caches the heap overflow would only affect the objects in the same cache. Overall, this reduces the kernel attack surface area by isolating slabs from each other.

Enable SLUB/SLAB allocator poisoning

grub2_slub_debug_argument

Description

To enable poisoning of SLUB/SLAB objects, add the argument slub_debug=$var_slub_debug_options to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain slub_debug=$var_slub_debug_options as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) slub_debug=$var_slub_debug_options"

Rationale

Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

Configure Speculative Store Bypass Mitigation

grub2_spec_store_bypass_disable_argument

Description

Certain CPUs are vulnerable to an exploit against a common wide industry wide performance optimization known as Speculative Store Bypass (SSB). In such cases, recent stores to the same memory location cannot always be observed by later loads during speculative execution. However, such stores are unlikely and thus they can be detected prior to instruction retirement at the end of a particular speculation execution window. Since Linux Kernel 4.17 you can check the SSB mitigation state with the following command: cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass Select the appropriate SSB state by adding the argument spec_store_bypass_disable=$var_spec_store_bypass_disable_options to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain spec_store_bypass_disable=$var_spec_store_bypass_disable_options as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) spec_store_bypass_disable=$var_spec_store_bypass_disable_options"

Rationale

In vulnerable processsors, the speculatively forwarded store can be used in a cache side channel attack. An example of this is reading memory to which the attacker does not directly have access, for example inside the sandboxed code.

Enforce Spectre v2 mitigation

grub2_spectre_v2_argument

Description

Spectre V2 is an indirect branch poisoning attack that can lead to data leakage. An exploit for Spectre V2 tricks the indirect branch predictor into executing code from a future indirect branch chosen by the attacker, even if the privilege level is different. Since Linux Kernel 4.15 you can check the Spectre V2 mitigation state with the following command: cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 Enforce the Spectre V2 mitigation by adding the argument spectre_v2=on to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain spectre_v2=on as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) spectre_v2=on"

Rationale

The Spectre V2 vulnerability allows an attacker to read memory that he should not have access to.

Ensure debug-shell service is not enabled during boot

grub2_systemd_debug-shell_argument_absent

Description

systemd's debug-shell service is intended to diagnose systemd related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for systemd related issues and should otherwise be disabled.

By default, the debug-shell systemd service is already disabled. Ensure the debug-shell is not enabled by the systemd.debug-shel=1 boot paramenter option. Check that the line

GRUB_CMDLINE_LINUX="..."
within /etc/default/grub doesn't contain the argument systemd.debug-shell=1. Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"

Rationale

This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

Set the UEFI Boot Loader Admin Username to a Non-Default Value

grub2_uefi_admin_username

Description

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change.

It is highly suggested not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

Change the superuser to a different username (The default is 'root').

$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users


Once the superuser account has been added, update the grub.cfg file by running:
grubby --update-kernel=ALL

Rationale

Having a non-default grub superuser username makes password-guessing attacks less effective.

Set the UEFI Boot Loader Password

grub2_uefi_password

Description

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:

# grub2-setpassword
When prompted, enter the password that was selected.

Rationale

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Set the UEFI Boot Loader Password - systems prior to version 7.2

grub2_uefi_password_legacy

Description

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:

# grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected.

Using the hash from the output, modify the /etc/grub.d/40_custom file with the following content:
set superusers="root"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
Once the superuser password has been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg

Rationale

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.

Disable vsyscalls

grub2_vsyscall_argument

Description

To disable use of virtual syscalls, add the argument vsyscall=none to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain vsyscall=none as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) vsyscall=none"

Rationale

Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.

UEFI Boot Loader Is Not Installed On Removeable Media

uefi_no_removeable_media

Description

The system must not allow removable media to be used as the boot loader. Remove alternate methods of booting the system from removable media. usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the lines:

set root='hd0,msdos1'

Rationale

Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader.